PCI Requirement 6.5 – Address Common Coding Vulnerabilities in Software-Development Processes

by Randy Bartels / February 7, 2023

Addressing Common Coding Vulnerabilities PCI Requirement 6.5 is focused specifically on making sure that code is developed securely. PCI Requirement 6.5 requires that you address common coding vulnerabilities in software development processes by training developers on up-to-date secure coding techniques and developing applications based on secure coding guidelines. The application layer is high-risk and may be targeted by both internal and external threats. We discuss training over and over again…

PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components

by Randy Bartels / February 7, 2023

Follow Your Change Control Program Most, if not all, security programs require that you have some type of Change Control Program. At the start of our PCI Demystified journey, we discussed Change Control Programs. In PCI Requirement 6.4, this point is reiterated. PCI Requirement 6.4 states, “Follow change control processes and procedures for all changes to system components.” Your organization should have the appropriate methods to control any changes in…

PCI Requirement 6.3.2 – Review Custom Code Prior to Release

by Randy Bartels / February 7, 2023

How to Review Custom Code Prior to Release PCI Requirement 6 requires your organization to go through many phases of development before production to ensure that software applications are being securely developed. PCI Requirement 6.3.1 requires that any testing data being used in the development and testing phases is removed before the application goes into production. PCI Requirement 6.3.2 adds another level of information security to the application by requiring…

PCI Requirement 6.3.1 – Remove Development and Test Accounts, User IDs, and Passwords Before Release

by Randy Bartels / February 7, 2023

Why Remove Test Data Before Production? PCI Requirement 6 says that software applications should be developed in a secure way, which requires that your organization go through many phases to ensure information security is incorporated throughout the application. PCI Requirement 6.3.1 picks up during the development phase and testing phases. PCI Requirement 6.3.1 states, “Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or…

PCI Requirement 6.3 – Develop Secure Software Applications

by Randy Bartels / February 7, 2023

Secure Software Application Defined PCI Requirement 6.3 focuses on the software development lifecycle, or SDLC. PCI Requirement 6.3 states that all internal and external software applications must be securely developed, in accordance with the PCI DSS, industry best practices, and with information security incorporated. A securely developed software application should have several capabilities. It should be able to function in a hardened application or operating system. The application must encrypt…