Raf, Thanks. As to your "good enough", it is my stance that if you follow the intent of my comments, then: 1. You have reduced risk to an acceptable level (so yes to me "secure") 2. You can meet the requirements of PCI-DSS Note that I do not equate the 2 :) As for the test data. There are test PANs that can, and should, be used. If there is no PAN, then no CHD. If you pull prod back into test/dev, then you need a sanitizing process to replace real PAN with test ones. It is that simple. While there may be exceptions, that is the rule that should be followed.