Google Cloud Professional Cloud Security Engineer — Question 22

You are a member of the security team at an organization. Your team has a single GCP project with credit card payment processing systems alongside web applications and data processing systems. You want to reduce the scope of systems subject to PCI audit standards.
What should you do?

Answer options

• A. Use multi-factor authentication for admin access to the web application.
• B. Use only applications certified compliant with PA-DSS.
• C. Move the cardholder data environment into a separate GCP project.
• D. Use VPN for all connections between your office and cloud environments.

Correct answer: C

Explanation

The correct answer is C because separating the cardholder data environment into its own GCP project reduces the scope of systems that need to comply with PCI audit standards. Options A, B, and D do not specifically address the requirement to limit the number of systems subject to PCI compliance, hence they do not effectively reduce the audit scope.