PCI Requirement 6

PCI Requirement 6

Develop and Maintain Secure Systems and Applications

Complying with PCI Requirement 6 will help your organization build a vulnerability management program that develops and maintains secure systems and applications. Attackers often use common security vulnerabilities to gain entry to systems in the targeted environment. Many common security vulnerabilities could be fixed with vendor-supplied security patches, but the issue arises when those patches are installed too late or not at all. The PCI DSS calls for all systems and applications to have all appropriate security patches implemented within an appropriate period of time in order to protect the cardholder data environment. This requirement is directed towards all applications in your environment, not just applications you’ve bought commercially or ones that you’ve developed.

Our PCI Requirement 6 videos will cover how to identify security vulnerabilities, patch installation, how to develop secure applications, secure coding strategies, change control processes, common coding vulnerabilities, and more. Click on a video below to get start with PCI Requirement 6.

PCI Requirement 6 – Develop and Maintain Secure Systems and Applications

PCI Requirement 6 – Develop and Maintain Secure Systems and Applications

PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.” The purpose of this requirement is to build a process for securely managing the software within your environment.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.1 – Establish a Process to Identify Security Vulnerabilities

PCI Requirement 6.1 – Establish a Process to Identify Security Vulnerabilities

PCI Requirement 6.1 states, “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.”
October 13, 2017/by Jeff Wilder
PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

In PCI Requirement 6.1, you learned how to establish a process to identify security vulnerabilities. Now, in PCI Requirement 6.2, we’ll discuss patch management programs.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.3 – Develop Secure Software Applications

PCI Requirement 6.3 – Develop Secure Software Applications

Secure Software Application Defined
PCI Requirement 6.3 focuses…
October 13, 2017/by Jeff Wilder
PCI Requirement 6.3.1 – Remove Development and Test Accounts, User IDs, and Passwords Before Release

PCI Requirement 6.3.1 – Remove Development and Test Accounts, User IDs, and Passwords Before Release

Why Remove Test Data Before Production?
PCI Requirement 6…
October 13, 2017/by Jeff Wilder
PCI Requirement 6.3.2 – Review Custom Code Prior to Release

PCI Requirement 6.3.2 – Review Custom Code Prior to Release

How to Review Custom Code Prior to Release
PCI Requirement…
October 13, 2017/by Jeff Wilder
PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components

PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components

Most, if not all, security programs require that you have some type of Change Control Program. At the start of our PCI Demystified journey, we discussed Change Control Programs.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

Addressing Common Coding Vulnerabilities
PCI Requirement 6.5…
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.2 – Buffer Overflow

PCI Requirement 6.5.2 – Buffer Overflow

PCI Requirement 6.5 requires that your organization address common coding vulnerabilities in software development processes to ensure that applications are securely developed.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.1 – Injection Flaws

PCI Requirement 6.5.1 – Injection Flaws

PCI Requirement 6.5 requires that your organization addresses common coding vulnerabilities in software-development processes to ensure that applications are securely developed.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.3 – Insecure Cryptographic Storage

PCI Requirement 6.5.3 – Insecure Cryptographic Storage

PCI Requirement 6.5 requires that your organization address common coding vulnerabilities in software development processes to ensure that applications are securely developed.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.4 – Insecure Communications

PCI Requirement 6.5.4 – Insecure Communications

PCI Requirement 6.5.4 requires that you protect your applications from insecure communications. To understand PCI Requirement 6.5.4, let’s look back at PCI Requirement 4.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.6 – All “High Risk” Vulnerabilities

PCI Requirement 6.5.6 – All “High Risk” Vulnerabilities

PCI Requirement 6.1 taught us how to establish a process for identifying security vulnerabilities. The PCI DSS explained that risk ranking allows organizations to identify, prioritize, and address the highest risk items and reduce the likelihood that vulnerabilities will be exploited.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.5 – Improper Error Handling

PCI Requirement 6.5.5 – Improper Error Handling

Improper error handling is one of the common coding vulnerabilities outlined in PCI Requirement 6.5. PCI Requirement 6.5.5 states that improper error handling must be addressed in your coding techniques.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.1 - 6.5.6 Recap

PCI Requirement 6.5.1 – 6.5.6 Recap

We’ve looked at PCI Requirement 6.5.1 through 6.5.6 together and learned about protection from injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and “high risk” vulnerabilities. But, where does PCI Requirement 6.5.1 through 6.5.6 apply? It’s important to know that PCI Requirements 6.5.1 through 6.5.6 apply to all internal and external applications.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.7 – Cross-Site Scripting (XSS)

PCI Requirement 6.5.7 – Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is another type of common coding vulnerability associated with application development. PCI Requirement 6.5.7 requires that you protect all of your organization’s web applications, internal application interfaces, and external application interfaces from XSS.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.8 – Improper Access Control

PCI Requirement 6.5.8 – Improper Access Control

PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.5.9 – Cross-Site Request Forgery

PCI Requirement 6.5.9 – Cross-Site Request Forgery

PCI Requirement 6.5.9 states that your organization’s applications are protected from cross-site request forgery (CSRF). PCI Requirement 6.5.9 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces.
October 13, 2017/by Jeff Wilder
PCI Requirement 6.6 – Address New Threats and Vulnerabilities on an Ongoing Basis for Public-Facing Web Applications

PCI Requirement 6.6 – Address New Threats and Vulnerabilities on an Ongoing Basis for Public-Facing Web Applications

PCI Requirement 6.6 states, “For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.”
October 13, 2017/by Jeff Wilder
PCI Requirement 6.7 – Ensure Policies and Procedures for Developing and Maintaining Secure Systems and Applications Are Documented, in Use, and Known to all Affected Parties

PCI Requirement 6.7 – Ensure Policies and Procedures for Developing and Maintaining Secure Systems and Applications Are Documented, in Use, and Known to all Affected Parties

PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.”
October 13, 2017/by Jeff Wilder