In an ecommerce environment the content master server (used to update content) resides in the production environment. This CM (“content master”) server is not viewable by the public. Content testing, particularly for configure to order content, is completed on the content master server. Testers have access to this server but do not have access to PANs – only dummy data is used. Testers are testing to ensure the content updates correctly and are placing test CTO orders with dummy data. This test data is not moved to the production environment. The CM content progresses into production after successful content verification. Testers do not have access to any other area within production. Does this violate PCI 6.3.2, 6.3.3 or 6.3.5?

Who migrates the changed content?

If it is a group that is independent from the actual group performing the content changes, based on your description it seems that it would meet 6.3.2, 6.3.3 and 6.3.5.

Although test procedure 6.3.b states: "From an examination of written software development processes, interviews of software developers, and examination of relevant data (network configuration documentation, production and test data, etc.), verify that:", You probably should verify that this is in fact the case (review of permissions for these environments - production and test, change records demonstrating migration activities and approvals, etc.).

Keep in mind, since the content manager server is located within the production environment, then all applicable PCI controls apply (i.e., the server is within scope: hardening, user ID and password controls, logging, file integrity monitoring, etc.).

Just my 2 cents...

Rarosado states very good points regarding this situation and I agree with their analysis.

I would highly recommend getting this CM server out of your production environment because it is not a production device. People with access to this server also get implicit access to the rest of the DMZ since they are also the people that likely update production. Therefore this increases the necessity of monitoring and the like to ensure that these users do not effect any unapproved changes to production. This is more trouble than it's worth.