How can I configure a PCI compliant development environment

Question

We need to be PCI compliant for some credit card processing we do. How do people do this in other shops?

How do you secure your SVN?

How do you secure your build server?

How does code get migrated from the developers to production?

Answer 1

Not to detract from the other answer, but the other thing you do is limit the scope of compliance by walling off the systems that see or touch card data from the rest of your IT infrastructure. There should be no need for your SVN server or build server to comply with PCI requirements if there's no way for it to see cardholder data (of course, you must be able to show that this is actually a policy and not just an accident of how the network is set up)

Answer 2

This is all the process of PCI compliance.

Take a look at: http://www.keross.com/pci-dss-requirements-version-1.2.html

Typically, you'd hire an external security company who would help you through this process.

-- edit:

That link not lasting for 3 years, as requested I have googled "PCI DSS Compliance" to obtain: https://www.pcisecuritystandards.org/security_standards/index.php