What restrictions, if any, exist over source code repository management under PCI-DSS?
The company I work at wants to develop a credit card processing service for clients hosted under our network. At the moment we're using SVN for version control. It's secured so that only the developers who need checkout/commit access have it. Meanwhile I was planning on moving from SVN to HG. However, the security team has expressed reservations about using a distributed SCM tool due to lack of access control on remote clones. Specifically, they claim this would violate PCI-DSS compliance. Does it?
First, I'll just say that I'm basing my answer on a quick read of PCI-DSS 2.0, specifically Requirement 6.
I don't see why using Mercurial would be a problem if you use it in a way comparable to how you used Subversion. Here are some reasons why I think this:
So I think there is plenty of scope to be PCI-DSS compliant while using a DVCS like Mercurial. Everything above would apply equally to Git.