An enterprise has decided to implement a new service that will process credit card information.
They will deploy this service within a hybrid cloud.
Their public cloud provider claims to be PCI DSS compliant. The enterprise wishes to implement a
service that is PCI compliant with the least amount of effort. The service is protected by a policy
based intrusion detection system. Cardholder data is securely transmitted to the web interface.
Which additional design elements would best be suited for this implementation?

A.
The card number is masked as it is typed and is immediately encrypted and securely sent
directly to the credit card processing system. No credit card information is stored within the
application.

B.
The card number is masked as it is typed and is immediately encrypted and securely sent
directly to the credit card processing system. Credit card information is stored using AES 128
encryption within the public cloud provider or within the private cloud, depending on the location of
the service.

C.
The card number is masked as it is typed and is immediately encrypted and securely sent
directly to the credit card processing system. Credit card information is only stored in the public
cloud provider’s systems using AES 128 encryption.

D.
The card number is masked as it is typed and is immediately encrypted and securely sent to
both the credit card processing system and to the private cloud for historical tracking and reporting
only.