PCI Requirement 6
Develop and Maintain Secure Systems and Applications
Complying with PCI Requirement 6 will help your organization build a vulnerability management program that develops and maintains secure systems and applications. Attackers often use common security vulnerabilities to gain entry to systems in the targeted environment. Many common security vulnerabilities could be fixed with vendor-supplied security patches, but the issue arises when those patches are installed too late or not at all. The PCI DSS calls for all systems and applications to have all appropriate security patches implemented within an appropriate period of time in order to protect the cardholder data environment. This requirement is directed towards all applications in your environment, not just applications you’ve bought commercially or ones that you’ve developed.
Our PCI Requirement 6 videos will cover how to identify security vulnerabilities, patch installation, how to develop secure applications, secure coding strategies, change control processes, common coding vulnerabilities, and more. Click on a video below to get start with PCI Requirement 6.
PCI Requirement 6 – Develop and Maintain Secure Systems and Applications
PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.” The purpose of this requirement is to build a process for securely managing the software within your environment.
PCI Requirement 6.1 – Establish a Process to Identify Security Vulnerabilities
PCI Requirement 6.1 states, “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.”
PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities
In PCI Requirement 6.1, you learned how to establish a process to identify security vulnerabilities. Now, in PCI Requirement 6.2, we’ll discuss patch management programs.
PCI Requirement 6.3 – Develop Secure Software Applications
Secure Software Application Defined
PCI Requirement 6.3 focuses…
PCI Requirement 6.3 focuses…
PCI Requirement 6.3.1 – Remove Development and Test Accounts, User IDs, and Passwords Before Release
Why Remove Test Data Before Production?
PCI Requirement 6…
PCI Requirement 6…
PCI Requirement 6.3.2 – Review Custom Code Prior to Release
How to Review Custom Code Prior to Release
PCI Requirement…
PCI Requirement…
PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components
Most, if not all, security programs require that you have some type of Change Control Program. At the start of our PCI Demystified journey, we discussed Change Control Programs.
PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes
Addressing Common Coding Vulnerabilities
PCI Requirement 6.5…
PCI Requirement 6.5…
PCI Requirement 6.5.2 – Buffer Overflow
PCI Requirement 6.5 requires that your organization address common coding vulnerabilities in software development processes to ensure that applications are securely developed.
PCI Requirement 6.5.1 – Injection Flaws
PCI Requirement 6.5 requires that your organization addresses common coding vulnerabilities in software-development processes to ensure that applications are securely developed.
PCI Requirement 6.5.3 – Insecure Cryptographic Storage
PCI Requirement 6.5 requires that your organization address common coding vulnerabilities in software development processes to ensure that applications are securely developed.
PCI Requirement 6.5.4 – Insecure Communications
PCI Requirement 6.5.4 requires that you protect your applications from insecure communications. To understand PCI Requirement 6.5.4, let’s look back at PCI Requirement 4.
PCI Requirement 6.5.6 – All “High Risk” Vulnerabilities
PCI Requirement 6.1 taught us how to establish a process for identifying security vulnerabilities. The PCI DSS explained that risk ranking allows organizations to identify, prioritize, and address the highest risk items and reduce the likelihood that vulnerabilities will be exploited.
PCI Requirement 6.5.5 – Improper Error Handling
Improper error handling is one of the common coding vulnerabilities outlined in PCI Requirement 6.5. PCI Requirement 6.5.5 states that improper error handling must be addressed in your coding techniques.
PCI Requirement 6.5.1 – 6.5.6 Recap
We’ve looked at PCI Requirement 6.5.1 through 6.5.6 together and learned about protection from injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and “high risk” vulnerabilities. But, where does PCI Requirement 6.5.1 through 6.5.6 apply? It’s important to know that PCI Requirements 6.5.1 through 6.5.6 apply to all internal and external applications.
PCI Requirement 6.5.7 – Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is another type of common coding vulnerability associated with application development. PCI Requirement 6.5.7 requires that you protect all of your organization’s web applications, internal application interfaces, and external application interfaces from XSS.
PCI Requirement 6.5.8 – Improper Access Control
PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions.
PCI Requirement 6.5.9 – Cross-Site Request Forgery
PCI Requirement 6.5.9 states that your organization’s applications are protected from cross-site request forgery (CSRF). PCI Requirement 6.5.9 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces.
PCI Requirement 6.6 – Address New Threats and Vulnerabilities on an Ongoing Basis for Public-Facing Web Applications
PCI Requirement 6.6 states, “For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.”
PCI Requirement 6.7 – Ensure Policies and Procedures for Developing and Maintaining Secure Systems and Applications Are Documented, in Use, and Known to all Affected Parties
PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.”
