CompTIA CASP+ (CAS-004) — Question 628

A company uses a CSP to provide a front end for its new payment system offering. The new offering is currently certified as PCI compliant. In order for the integrated solution to be compliant, the customer:

Answer options

• A. must also be PCI compliant, because the risk is transferred to the provider.
• B. still needs to perform its own PCI assessment of the provider's managed serverless service.
• C. needs to perform a penetration test of the cloud provider's environment.
• D. must ensure in-scope systems for the new offering are also PCI compliant.

Correct answer: D

Explanation

The correct answer is D because all systems involved in processing payment information must comply with PCI requirements to ensure overall compliance. Option A is incorrect as the risk does not fully transfer to the provider; the customer still has responsibilities. Option B is not valid since the customer must ensure compliance directly with their own systems, and option C is unrelated to the requirement of ensuring PCI compliance.