PCI DSS and release deployment automation

Question

One of the PCI DSS rules is:

"The PCI DSS applies to all system components included in or connected to the cardholder data environment"

How would you go about handling an SCM/release automation server? There has to be a port open from some server in dev network segment making it's way to some server in prod network setgment.

Developers produce code, following by build manager producing release artifacts. Release artifacts must make their way to production. How do release artifacts make their way from dev to production – how do they make their way from “not in scope” dev box to “in scope” production box?

Answer 1

There's probably not a really good answer to this; to my knowledge you can't have a truly automated continuous deployment solution that doesn't cause 'in scope' to creep back to the development systems. So you have to have a manual step involved in deployment, but you can make that step as small as possible.

In the retail system I was recently working on (~100 cash registers in ~80 locations) we picked one register that happened to have some excess network bandwidth, and designated it as the 'island' system. We'd be able to take an update as a single file (zip or something) and drop it on that system, and it would install there, then propagate out to all the other registers in all locations. So we've narrowed the window of manual effort to a single file on a single register.

The safest and simplest way to cross that bridge is SneakerNet -- bring that file on a thumbdrive to that system every time there's a software update -- but it is possible to use a remote desktop approach to copy a file to that system and stay within scope, as long as the process is not automated and you're on entirely unrelated networks.