PCI DSS requirement 6.4.2 separation of duties between development/test environments

It is, of course, always wisest to accept the judgements of your QSA when making judgement calls, however during your own in-house compliance work I recommend checking out the Navigating PCI-DSS: Understanding the Intent of the Requirements document whenever confused by a requirement.

Looking at page 32 of that document we see the following write up regarding requirement 6.4.2

Reducing the number of personnel with access to the production environment and cardholder data minimizes risk and helps ensure that access is limited to those individuals with a business need to know.

The intent of this requirement is to ensure that development/test functions are separated from production functions. For example, a developer may use an administrator-level account with elevated privileges for use in the development environment, and have a separate account with user-level access to the production environment.

In environments where one individual performs multiple roles (for example application development and implementing updates to production systems), duties should be assigned such that no one individual has end-to-end control of a process without an independent checkpoint. For example, assign responsibility for development, authorization and monitoring to separate individuals.

So, by the strictest reading, then yes. Developers have access to the development system, and may have user role access to production, but a separate individual will actually perform application installs/administration and system administration of the production environment. The real purpose of all this, as discussed in the last paragraph, is that there is no single individual that has end-to-end administrative control of the service. What they want are multiple people with visibility into the process so that no single person can do make changes in development and roll them into production unquestioned.

So, whenever possible, the official advice would be best summed up with a picture.

In serious practice, however, you need to figure out how best to manage that auditing and/or segregation while documenting your processes and eventually getting it properly handled by your QSA.

PCI-DSS is an exceptionally broad (and interpretative) set of rules - so this answer is probably best answered by a QSA (for anything other than opinion/heresy).

However, our interpretation is such that the environments have to be separate, but not necessarily on physically separate hardware. Using VPS/virtualisation is a great way to securely partition up a physical server and still maintain PCI compliance without falling under the "a machine for each role" rule.

Here is the issue with this particular item. When evaluated on wording alone it seems clear, that different people are required for different environments. However a great deal of companies and QSAs even believe that this is a one way road. If you have access to development and do development, then you shouldn't have access to production.

The issue with this is that individuals with access to production should not have access to development either. With access to development environments they would be able to reverse engineer any security measures that are in place to secure the data in the environment. So looking at the model of Code and Data, you have to separate the two at all levels. Those who have access to the code, should not have access to the data, and those who have access to the data should not have access to the code. Development environments need to be segregated from other company operations. Production DBAs should not have access to or control over development DB's.