Is it possible to use any remote DVCS (GitHub, Bitbucket, etc.) with PCI DSS or should I host Git on my own server?
Asked
Active
Viewed 4,844 times
14
-
it depends on your scope - I think you need to add some details ... – schroeder Oct 25 '16 at 19:39
-
1Use GitHub for what? public or private repository? – crovers Oct 25 '16 at 19:41
-
@schroeder Payment system aggregator – iwex Oct 25 '16 at 20:05
-
@crovers Of course private :) – iwex Oct 25 '16 at 20:06
1 Answers
29
Note : not a QSA, but I do have some PCI experience.
There is nothing in PCI about storage of source code - there are requirements about change management, which github would help with, but nothing about where source code should be or any requirements to keep source code private (it allows use of open source, after all). Given a private repo and assuming you do not store authentication information (keys, appids, passwords, api keys, certificates), PCI governed data or PII in GitHub repositories (which you shouldn't be doing anyways), you are probably fine using GitHub. Talk to your QSA if you want to be sure.
crovers
- 6,311
- 1
- 19
- 29
-
16This is all correct - I'm a QSA. Just need to sure there's separation of duties between dev/test and production environments and people responsible for each. i.e. don't allow an admin access to and ability to change source code and later deploy to production environments. – AndyMac Oct 25 '16 at 21:35