When personnel access cardholder data via remote-access technologies, what is prohibited unless explicitly authorized for a defined business need?

• A. Copying, moving, or storing cardholder data onto local hard drives and removable electronic media.
• B. Accessing cardholder data from any device without logging.
• C. Printing cardholder data for administrative purposes.
• D. Transferring cardholder data to cloud storage automatically.

Answer: (A)

The main idea is protecting cardholder data by preventing it from being stored outside the controlled, monitored environment. When personnel access cardholder data remotely, storing that data on local hard drives or removable media creates a copy outside the secured system, increasing the risk of exposure, loss, or theft. PCI DSS requires that such copying or local storage be prohibited unless there is a clearly defined business need and explicit authorization. That makes this option the best choice because it directly targets the risk of data being left on personal or non-secure devices.

Other actions can be allowed under proper controls: access should be authenticated and logged, printing can be restricted and monitored, and transferring data to cloud storage may be permitted if encryption, access controls, and monitoring are in place and a valid business need exists. But the blanket prohibition on storing CHD on local devices is the clearest, strongest rule.