As part of change control, what is required for approvals?

• A. Skips testing for critical patches is allowed
• B. Documented change approval by authorized parties
• C. Back-out procedures are not required
• D. Change approval by anyone in the organization

Answer: (B)

In PCI DSS, changes to systems and configurations must go through a formal, documented approval process before implementation. This means the change is reviewed and signed off by authorized parties who have the authority to approve such modifications. Having documented approvals creates an auditable trail that shows who approved what, when, and why, ensuring accountability and that the change has been assessed for risk and security impact. The approval should come from designated individuals or a change control authority, not from anyone arbitrarily. In addition, change control typically includes testing and defined back-out procedures, so options that skip testing or imply back-out plans aren’t required don’t fit with proper change-management practices.