PCI Requirement 7 – Restrict Access to Cardholder Data by Business Need to Know

by Randy Bartels / December 19, 2022

Protecting Cardholder Data PCI Requirement 7 focuses on establishing access into your organization’s cardholder data environment through the lens of business need to know. PCI Requirement 7 states, “Restrict access to cardholder data by business need to know.” Complying with PCI Requirement 7 is critical to ensuring that cardholder data is accessed only by authorized personnel. There’s nothing wrong with granting someone access to the CDE and the PCI DSS…

PCI Requirement 6.7 – Ensure Policies and Procedures for Developing and Maintaining Secure Systems and Applications Are Documented, in Use, and Known to all Affected Parties

by Randy Bartels / February 7, 2023

Documentation Requirements PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.” The purpose of this requirement is to build a process for securely managing the software within your environment. For this requirement, we’ve discussed the 18 sub-requirements and topics such as how to securely develop applications, common coding vulnerabilities, and how to ensure your…

PCI Requirement 6.6 – Address New Threats and Vulnerabilities on an Ongoing Basis for Public-Facing Web Applications

by Randy Bartels / February 7, 2023

Address New Threats and Vulnerabilities for Web Applications PCI Requirement 6.6 states, “For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.” You can comply with PCI Requirement 6.6 through two methods: by reviewing public-facing web applications via manual or automated application vulnerability security assessment, at least annually and after any changes, or by installing an automated technical…

PCI Requirement 6.5.9 – Cross-Site Request Forgery

by Randy Bartels / February 7, 2023

What is Cross-Site Request Forgery? PCI Requirement 6.5.9 states that your organization’s applications are protected from cross-site request forgery (CSRF). PCI Requirement 6.5.9 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise. OWASP describes a CSRF as a type of attack that forces an end-user…

PCI Requirement 6.5.8 – Improper Access Control

by Randy Bartels / February 7, 2023

What is Improper Access Control? PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions. PCI Requirement 6.5.8 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well…