This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Now we speak about
Requirement 6: Develop and maintain secure software, systems and applications
This requirement focuses on the protection against all types of malware that can affect the systems of the data environment devices of the cardholder (CDE). That is where the data of the cardholder (CHD) is stored, processed and transmitted.
In order to try to gain privileged access to cardholder data systems, the attackers will exploit the system vulnerabilities. The implementation of all security patches provided by vendors solves a large part of the known vulnerabilities. This is the principal reason that PCI DSS requests to always keep the systems updated to the latest version.
On the other hand, the security vulnerabilities that are introduced inadvertently inside the custom software code could also be exploited to gain access to a network and compromise the data of the cardholder. Therefore, security definitions are necessary for all phases such as in the analysis, design and testing stage for software development.
Define and implement processes
It is important to define and implement a process that allows to identify and classify the risk of security vulnerabilities in the PCI DSS environment through reliable external sources. This process involves the following phases:
- Identify the vulnerabilities continuously through information provided by vendors, industry-accepted security sites and scanning tools.
- Classify the risk and set priorities to quickly address the elements of greater risk and reduce the probability of exploiting the vulnerabilities.
- Solve the vulnerabilities of highest risk in less than 30 days and the vulnerabilities of lower risk in the medium term provided that it does not exceed the scheduled date of the next security scan.
- Re-test. After having implemented the vulnerability solution, perform a new security scan test to make sure that the vulnerabilities have been corrected.
- Update your systems. Keep in mind that, to correct vulnerabilities, you must implement both the security patches provided by the system provider and the security settings update.
Define and implement a development process that includes security requirements in all phases of development. PCI DSS puts the emphasis on the testing stage and the code review. The most important points in these processes are:
- Perform objective and independent reviews. This should be done by someone who was not part of the code development.
- Implement only issue free codes. Fix all errors before implementing it in a production environment.
- Clean production environment. Keep the development environment completely separate from the production environment both physically and logically. Do not implement the new code with testing data such as the user IDs and passwords that were used in the test phase.
To mitigate the risks and protect the PCI DSS environment make sure to implement these best practices for secure configuration, maintain up-to-date software and implement the best practices for secure development.
Need help with PCI DSS implementation? Our QSAs can help out.
Read more about requirement 5