PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components

by Randy Bartels / February 7, 2023

Follow Your Change Control Program Most, if not all, security programs require that you have some type of Change Control Program. At the start of our PCI Demystified journey, we discussed Change Control Programs. In PCI Requirement 6.4, this point is reiterated. PCI Requirement 6.4 states, “Follow change control processes and procedures for all changes to system components.” Your organization should have the appropriate methods to control any changes in…

PCI Requirement 6.3.2 – Review Custom Code Prior to Release

by Randy Bartels / February 7, 2023

How to Review Custom Code Prior to Release PCI Requirement 6 requires your organization to go through many phases of development before production to ensure that software applications are being securely developed. PCI Requirement 6.3.1 requires that any testing data being used in the development and testing phases is removed before the application goes into production. PCI Requirement 6.3.2 adds another level of information security to the application by requiring…

PCI Requirement 6.3.1 – Remove Development and Test Accounts, User IDs, and Passwords Before Release

by Randy Bartels / February 7, 2023

Why Remove Test Data Before Production? PCI Requirement 6 says that software applications should be developed in a secure way, which requires that your organization go through many phases to ensure information security is incorporated throughout the application. PCI Requirement 6.3.1 picks up during the development phase and testing phases. PCI Requirement 6.3.1 states, “Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or…

PCI Requirement 6.3 – Develop Secure Software Applications

by Randy Bartels / February 7, 2023

Secure Software Application Defined PCI Requirement 6.3 focuses on the software development lifecycle, or SDLC. PCI Requirement 6.3 states that all internal and external software applications must be securely developed, in accordance with the PCI DSS, industry best practices, and with information security incorporated. A securely developed software application should have several capabilities. It should be able to function in a hardened application or operating system. The application must encrypt…

PCI Requirement 6.2 – Ensure all Systems and Software are Protected from Known Vulnerabilities

by Randy Bartels / February 7, 2023

Ensure All Systems and Software are Protected from Known Vulnerabilities In PCI Requirement 6.1, you learned how to establish a process to identify security vulnerabilities. Now, in PCI Requirement 6.2, we’ll discuss patch management programs. PCI Requirement 6.2 states, “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.” In today’s threat landscape,…