GRCWatch
Sign inStart free trial

PCI DSS 6.5.5: Do Not Use Live PANs in Pre-Production

PCI DSS 6.5.5 requires that live payment card numbers (PANs) never appear in pre-production environments unless those environments are explicitly included in your cardholder data environment (CDE). This control prevents accidental exposure of sensitive payment data during development and testing. Implementing this control strengthens your overall security posture and reduces breach risk.

What this means

This control mandates that development, staging, and testing environments must not contain live PANs or other sensitive authentication data. The only exception is when pre-production systems are formally designated as part of your CDE with equivalent security controls. Organizations must use tokenized data, masked PANs, or synthetic test card numbers instead of production payment data in non-production systems.

How to comply

  1. 1.Identify all pre-production environments (development, staging, testing, UAT) that could potentially access card data
  2. 2.Map which systems are included in your CDE versus which are explicitly excluded
  3. 3.Implement tokenization or masking solutions to replace live PANs with synthetic test data in pre-production
  4. 4.Establish a data sanitization process to remove live PANs from any production backups used for pre-production testing
  5. 5.Configure access controls to prevent live cardholder data from being copied to pre-production systems
  6. 6.Document exceptions where pre-production environments are included in the CDE with equivalent security controls
  7. 7.Conduct quarterly reviews to verify pre-production systems contain only masked or synthetic payment data
  8. 8.Train developers on secure coding practices and the prohibition against hardcoding or using live PANs in code

Evidence auditors look for

  • Data classification policy explicitly prohibiting live PANs in non-CDE environments
  • Configuration of tokenization platform masking live card numbers in pre-production databases
  • Test data management procedures using only synthetic card numbers or masked PAN formats
  • Production backup sanitization scripts that remove or mask PANs before staging environment restoration
  • Network segmentation documentation showing pre-production systems isolated from production cardholder data
  • Code review policies with automated scanning for hardcoded PAN patterns
  • CDE scope documentation identifying which systems are or are not in scope
  • Audit logs showing data access and sanitization activities in pre-production environments

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates pre-production data scanning and tokenization monitoring to ensure live PANs never leak into non-CDE environments, eliminating manual audit work and reducing compliance risk.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 2.1 - Restrict Administrative AccessPCI DSS 3.4 - Render PANs UnreadablePCI DSS 6.2 - Secure Development ProcessesPCI DSS 8.2 - Unique User IDsPCI DSS 10.1 - Audit Trails for System Access