| ๐ผ 6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls. | | | | |
| ๐ผ 6.4.2 Separation of duties between development/test and production environments. | | | | |
| ๐ผ 6.4.3 Production data (live PANs) are not used for testing or development. | | | | |
| ๐ผ 6.4.4 Removal of test data and accounts from system components before the system becomes active / goes into production. | | | | |
| ๐ผ 6.4.5 Change control procedures. | 4 | | | |
| ย ย ย ย ๐ผ 6.4.5.1 Documentation of impact. | | | | |
| ย ย ย ย ๐ผ 6.4.5.2 Documented change approval by authorized parties. | | | | |
| ย ย ย ย ๐ผ 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. | | | | |
| ย ย ย ย ๐ผ 6.4.5.4 Back-out procedures | | | | |
| ๐ผ 6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. | | | | |