Reducing Scope of Systems Subject to PCI Audit Standards

D.

The correct answer is option C: Move the cardholder data environment into a separate GCP project.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It applies to all organizations that accept credit card payments, regardless of their size or transaction volume.

To reduce the scope of systems subject to PCI audit standards, the security team should move the cardholder data environment into a separate GCP project. This approach is called "segmentation" or "isolation" and involves separating the sensitive data from the rest of the systems.

By doing so, the security team can limit the scope of the PCI audit to only the systems that store, process, or transmit credit card data, thereby reducing the overall cost and complexity of the audit process. Segmentation also allows the security team to apply more rigorous security controls to the cardholder data environment without affecting the rest of the systems.

Option A, using multi-factor authentication for admin access to the web application, is a good security practice, but it does not directly address the scope of the PCI audit.

Option B, using only applications certified compliant with PA-DSS (Payment Application Data Security Standard), is also a good practice, but it does not directly address the scope of the PCI audit either.

Option D, using VPN for all connections between your office and cloud environments, is a good practice for securing network connections but does not directly address the scope of the PCI audit.