GRCWatch
Sign inStart free trial

PCI DSS 6.5.3: Separating Pre-Production from Production Environments

Pre-production and production environments must be strictly separated to prevent unauthorized changes and data exposure in live systems. PCI DSS 6.5.3 requires technical controls that physically or logically isolate these environments. This control protects cardholder data by ensuring development and testing activities never directly impact your production infrastructure.

What this means

Pre-production environments (development, staging, testing) must be segregated from production systems where live cardholder data resides. The separation must be enforced through technical access controls—not just policies. Users, applications, and data flows in pre-production should have no direct pathway to production without explicit, monitored approval. This prevents developers from accidentally or intentionally introducing vulnerabilities, malware, or unauthorized changes into systems handling payment card data.

How to comply

  1. 1.Map all pre-production environments (dev, test, staging) and document their separation from production systems
  2. 2.Implement network segmentation using firewalls, VLANs, or cloud security groups to physically isolate environments
  3. 3.Configure access controls so pre-production credentials cannot access production systems and vice versa
  4. 4.Restrict production data promotion—only sanitized, masked test data flows to pre-production
  5. 5.Log and monitor all cross-environment access attempts, approvals, and data transfers
  6. 6.Document the technical controls enforcing separation and review them during configuration audits
  7. 7.Ensure application deployments from pre-production to production require separate approval and credentials

Evidence auditors look for

  • Network diagram showing pre-production and production subnets with firewall rules blocking inter-environment traffic
  • IAM/access control logs proving production system accounts cannot authenticate to pre-production infrastructure
  • Cloud security group or on-premises firewall configurations restricting pre-production-to-production connections
  • Change management records documenting approval workflows and role separation for production deployments
  • Database backup and sanitization logs showing test data masking before pre-production use
  • Access control matrix mapping user roles to environment permissions with documented justification
  • Vulnerability scan reports run separately on each environment confirming isolation effectiveness

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your infrastructure topology, identifies pre-production and production environments, and validates network segmentation rules—surfacing separation gaps before your next audit.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 6.5.1 — Injection FlawsPCI DSS 6.5.2 — Broken AuthenticationPCI DSS 7.1 — Limiting Access by Business NecessityPCI DSS 8.1 — User Access AssignmentPCI DSS 8.2 — User Authentication