Greetings!
PCI DSS 6.3.2 says, “The development/test environments are separate from the production environment, with access control in place to enforce the separation” and PCI DSS 6.3.3 says, “There is a separation of duties between personnel assigned to the development/test environments and those assigned to the production environment"

Now my dilemma is that in our environment the Development and production teams are the same. We do have a separate Testing/QA department that is access controlled and in a secure office. How do we stay in compliance without adding more personnel or shifting the current team?

Thanks,

Dan

There is no way to accomplish compliance with your suggestions without going down the compensating controls route. However, I seriously doubt you will be able to put in place a compensating control to meet the requirement without adding personnel.

The problem that these requirements is trying to avoid is an application developer being able to modify code and place it in production without anyone's knowledge. This is how programmers end up putting fraudulent code into applications and then organizations and their customers get taken. As a result, developers, quality assurance and production personnel need to be totally separate from one another. That said, there are creative ways to avoid raising headcount. You can do this by having applications QA'd by developers not involved in the development of the application being tested. Your other option is to have dedicated production personnel that also double as QA personnel. However, under no circumstances should developers also be your production staff. That is a problem waiting to happen.

However, since I know little about your environment, I cannot say that even implementing these changes will avoid adding staff. However, there may not be any way around the problem and achieve compliance without adding staff.

Jeff,
thank you, you have answered my question and it comes down to a definition of what constitutes "Production". Our Q/A staff is also the staff solely responsible for allowing the code to be released.

Now I have a further question along these same lines concerning the Dev/Test groups. The testing is done by Dev staff that are not working on the applications being tested. Does that count towards compliance or compensating controls?

Based on your question, I'm assuming that you have developers that serve as independent QA testers for code they have not been involved.

Your answer depends on how you ensure that application developers that are conducting the QA testing are independent of the application they are testing. As long as you have a documented process in place that keeps the QA function independent from development and you have some sort of audit trail or other proof that it independent, you should be okay. A number of my clients use project management software, their help desk system or even a shared folder in Exchange to provide the necessary audit trail. A little bit of a pain in the butt, but it works.