Where Do PCI Requirements 6.5.1 – 6.5.6 Apply?
We’ve looked at PCI Requirement 6.5.1 through 6.5.6 together and learned about protection from injection flaws, buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and “high risk” vulnerabilities. But, where does PCI Requirement 6.5.1 through 6.5.6 apply? It’s important to know that PCI Requirements 6.5.1 through 6.5.6 apply to all internal and external applications.
PCI Requirements 6.5.1 – 6.5.6 Recap
PCI Requirement 6.5 requires that you address common coding vulnerabilities in software development processes by training developers on up-to-date secure coding techniques and developing applications based on secure coding guidelines. The PCI DSS states, “As industry best practices for vulnerability management are updated, the current best practices must be used for these requirements.” The following requirements outline common coding vulnerabilities that apply to all internal and external applications:
- 5.1: Injection flaws
- 5.2: Buffer overflow
- 5.3: Insecure cryptographic storage
- 5.4: Insecure communications
- 5.5: Improper error handling
- 5.6: All “high risk” vulnerabilities
Assessors want to see PCI Requirements 6.5.1 through 6.5.6 implemented in the application development process for all internal and external applications. In order to verify that your organization is complying with PCI Requirements 6.5.1 through 6.5.6, an assessor will examine policies and procedures related to application development, training records, and interview responsible personnel.
When we’re looking at PCI Requirement 6.5.1 through 6.5.6, those particular requirements apply to all applications, whether it’s executable on the inside of your organization or whether it’s web-facing application. From a development perspective, we expect to see that all of those items called out within the PCI DSS, 6.5.1 through 6.5.6, are handled and apply to all applications. 6.5.7 through 6.5.10 are for web-based applications only.