Why are live production PAN data not used for testing or development?

• A. It saves time.
• B. It protects sensitive data from exposure.
• C. It is not required for PCI.
• D. It is allowed if data is masked.

Answer: (B)

Handling PAN data in testing and development is about preventing exposure of highly sensitive payment information. Live production PANs carry a high risk because they can end up in logs, error messages, backups, or developer machines, and in test environments security controls are often less stringent. Keeping real PANs in those environments increases the chance of accidental leaks, misuse, or unauthorized access, which PCI DSS aims to prevent. Using masked or synthetic data preserves the structure needed for realistic testing while removing the sensitive values, reducing risk significantly. If PAN must be used at all, masking or tokenization and strict access controls are required, but the core motivation for avoiding live PANs in testing is protecting sensitive data from exposure.