As financial institutions accelerate their digital transformation efforts, the environments used to build, test and deploy software are facing unprecedented scrutiny.
Banks and insurers, once focused primarily on securing production systems, are discovering that non-production test environments pose an equally serious threat.
These environments often contain sensitive customer or transactional data copied from live systems and are typically less protected, making them an attractive target for both cybercriminals and regulators.
For QA and software testing teams, the challenge is clear: maintaining speed and agility in software delivery while ensuring every instance of test data complies with evolving regulations such as DORA and the GDPR. This growing tension between compliance and innovation is now driving a fundamental shift in how financial firms manage, mask and govern their data.
According to Ross Millenacker, a senior product manager at Delphix, part of Perforce Software: “Test data compliance efforts are falling behind development speed, creating a dangerous gap exploited by bad actors and scrutinised by regulators.”
From card payments to wholesale banking systems, the use of real or near-production data for testing is widespread, but so too are the risks.
Millenacker noted that “the rules that apply to production data now apply to test data as well. There’s no hiding behind ‘it’s just test data’ anymore.”
Heightned risks for banks
Legacy testing practices are colliding with modern regulatory and threat landscapes. Millenacker explained that “test environments are a prime target for regulators and cybercriminals.”
These environments often host copies of sensitive production data, such as customer records, transaction histories and personal identifiers, that collectively build large, less-secured attack surfaces.
Financial-services QA teams should note two converging pressures: first, regulatory frameworks now clearly extend to non-production environments; and second, CI/CD-driven release velocity is increasing exposure before governance can catch up.
“If test data gets breached, customers would not care that it wasn’t ‘real’ production data. The headlines will read the same.”
– Ross Millenacker
Millenacker wrote in a recent analysis that “faster development cycles mean more data exposure” and that “speed is the #1 barrier to protecting data in non-production.”
He identified common failure points that are particularly relevant for banking QA functions. One such approach is what Millenacker calls the ‘copy and pray’ method.
“I’ve seen teams often choose this path when they copy production data directly to test environments with no masking or poorly implemented masking.”
He also highlighted that auditors frequently find test environments lacking critical controls: “Missing access logs top the list. Data inventories don’t exist. Uncontrolled and unmasked data spreads everywhere.”
For banks, where data lineage, audit trails and evidence of compliance are standard requirements, these are alarming signals.
A realistic roadmap
Millenacker described a phased implementation roadmap that QA and test-data-management teams should adapt. The first phase is discovery and assessment.
“The first step is understanding what you’re working with. You’ll need to document all instances of sensitive data by creating a full inventory … Next, identify which regulatory requirements apply to each type of data.”
The next phase focuses on quick wins, such as replacing high-risk data with fictitious but realistic values, implementing access controls and audit logs.
The third phase addresses advanced protection: “One powerful step is using data-virtualisation. … Another advanced step is using synthetic data generation.”
For financial institutions, the takeaway is clear: test-data environments must not lag behind production in terms of governance, masking, access control and audit-readiness.
Why this matters
In financial services, data breaches carry immediate regulatory, reputational and operational consequences. Millenacker pointed out that “60% of organisations have experienced data breaches or theft in non-production environments, an 11% increase from last year.”
He warned that “if test data gets breached, customers would not care that it wasn’t ‘real’ production data. The headlines will read the same.”
For QA teams within banks, this means that skipping or downgrading test-data governance is not a compliance shortcut, it is a major risk vector.
Testing functions should immediately review their policies and tooling around non-production data, Millenacker continued. Key focus areas include compiling a current inventory of all test environments and the data they use, mapping which regulations apply to each dataset, and introducing masking, data-virtualisation and synthetic-data techniques so that test data cannot be traced back to real customers or transactions.
Embedding audit trails, access controls and automated compliance checks into CI/CD pipelines will help ensure test-data compliance becomes an integrated part of the testing workflow.
As Millenacker put it: “Your development teams get what they need. Your compliance teams sleep better at night. Everyone wins.”
In summary, banks and financial-services QA teams can no longer treat test-data compliance as an afterthought. In today’s high-velocity development environment, with stricter regulatory oversight and increasingly sophisticated threat actors, non-production environments represent a critical front line of defence.
Following the roadmap outlined by Millenacker offers a practical way to align testing practices with enterprise-grade governance and compliance standards.
THIS MONTH
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Inside JPMorgan’s $18bn QA push with OmniAI reshaping testing
- As AI takes hold, insurance firms face a new testing mandate
- K2view’s Amitai Richman calls out the ‘real bottleneck’ in healthcare and insurance
- AI in QA: how flexible testing is redefining assurance for financial firms
- Explainer: Why site reliability engineering is gaining momentum in banking
WATCH NOW
