Information Security
pci-dss pci-scope git
Updated Tue, 07 Jun 2022 15:50:53 GMT

Can I use GitHub and be PCI DSS compliant?


Is it possible to use any remote DVCS (GitHub, Bitbucket, etc.) with PCI DSS or should I host Git on my own server?




Solution

Note : not a QSA, but I do have some PCI experience.

There is nothing in PCI about storage of source code - there are requirements about change management, which github would help with, but nothing about where source code should be or any requirements to keep source code private (it allows use of open source, after all). Given a private repo and assuming you do not store authentication information (keys, appids, passwords, api keys, certificates), PCI governed data or PII in GitHub repositories (which you shouldn't be doing anyways), you are probably fine using GitHub. Talk to your QSA if you want to be sure.





Comments (1)

  • +0 – This is all correct - I'm a QSA. Just need to sure there's separation of duties between dev/test and production environments and people responsible for each. i.e. don't allow an admin access to and ability to change source code and later deploy to production environments. — Oct 25, 2016 at 21:35