What would be ideal is for Octopus Deploy to attain a "PCI-certified" status.

I don't know whether this would require 2 linked Octopus servers (as suggested elsewhere), or whether it could be accomplished with a single Octopus server. Here's one idea for the latter (it might display my ignorance)...

1. Switch Octopus into a new "PCI-compliant" mode.

2. Use a clever permissions strategy to segregate users into either:

   • a ProductionDeployments role, or
   • something else.

3. Certain target environments would be designated as Production.

4. Only those in the ProductionDeployments role would be allowed to promote a product version to a production environment. Everyone who does not have the ProductionDeployments role is precluded from modifying Production in any way, including via the Script Console window.

(This is a tricky edge case, as only System Administrators have access to the Script Console, and by definition SysAdmins can do anything. Perhaps an UberSysAdmin needs to designate one or more SysAdmins for Production and other SysAdmins for non-Production?)

1. Non-ProductionDeployment users are permitted to perform their normal roles, but only on the non-Production environments.

While this is apparently complex, when compared with the alternative - a dual Octopus server solution - there are a number of advantages:

Advantages

• All the deployment history for all products, versions and environments is in one location, visible to all users.
• Scripts for production can be replicas of other scripts. (Very important for testing.)
• There are no issues with moving script changes to a Production Octopus server.