Guidance for PCI Compliance

Looking for Guidance for PCI Compliance.
We are currently moving to getting a ci\cd pipeline running on Gitlab.
Our current set up is we have a non production and a production environment on separate networks.
This reduces the area that is under PCI to just the Production network as this is the only place card holder data is present.
We get a deployment to production by the following:

• Commit code to git

• This kicks off current build of artifacts via cruise control

• In non production we deploy this via scripts, which have access to artifacts

• For production we make the artifacts available to production by pushing to SFTP server and run script on production jump server to deploy

We are now working to moving to use Gitlab where:

• Gitlab running in non prod environment

• Gitlab registry running in non prod environment with docker images stored in file system for now, eventlually to something like s3

GitLab runner running in non prod environment

Our issue is for the cd part we need to push images to production boxes and run docker commands(docker run). This results in our non production environment (via runner running pipeline) to have access to production which we never required.

Any guidance on how to avoid this and keep our production environment as restricted as possible. I presume lots of companies want to keep production restricted and how do they achieve this?

Hi, I found some resources that might help you. According to GitLab’s website, they have some features that can help you with your PCI compliance, such as:

• Static Application Security Testing (SAST) which analyzes the source code of an application for common security vulnerabilities.
• Dynamic Application Security Testing (DAST) which scans working web applications for common security vulnerabilities.
• Container Scanning which identifies known vulnerabilities in your Docker images.
• Dependency Scanning which identifies open source code libraries, being used by your application, with known vulnerabilities.
• Policy management which helps you define rules and policies to adhere to workflow requirements, separation of duties, and secure supply chain best practices.
• Compliance frameworks which describe the type of compliance requirements projects must follow.
• Compliance pipelines which define a pipeline configuration to run for any projects with a given compliance framework.
• Audit management which provides visibility into GitLab and audit what is happening.

I hope this helps you with your question of how do i become pci compliant. Good luck with your project!

I would have separate runners, one for prod, one for non-prod. That way, the non-prod runner doesn’t need access to your prod servers. In such a scenario, only the runner in the prod network can push the docker images to the prod server.