Ensure All Systems and Software are Protected from Known Vulnerabilities
In PCI Requirement 6.1, you learned how to establish a process to identify security vulnerabilities. Now, in PCI Requirement 6.2, we’ll discuss patch management programs. PCI Requirement 6.2 states, “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”
In today’s threat landscape, there’s a constant stream of attacks. PCI Requirement 6.2 exists to reinforce the fact that if the most recent security patches are not implemented on systems and applications as soon as possible, an attacker could use these exploits to attack, disable, or gain access to a system containing sensitive cardholder data.
The PCI DSS states, “Prioritizing patches for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released. Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months. This requirement applies to applicable patches for all installed software, including payment applications.”
What You Need to Know about Patch Management for PCI DSS
Security patches for critical or high risk security vulnerabilities should deployed within a month of their release. If not, your assessor will question this.
If a security patch is released but the vulnerability is considered low, the PCI DSS says these types of patches need to be deployed within an appropriate amount of time. What’s considered an “appropriate” amount of time? We recommend within two to three months of the release.
PCI Requirement 6.2 requires that an assessor examine your policies and procedures to verify that there is an established process for patch management, which helps to ensure all systems and software are protected from known vulnerabilities. An assessor will also compare the list of security patches installed on each system to the most recent manufacturer-supplied security patch list, to verify that critical security patches are installed within one month of release and non-critical security patches are installed within an appropriate time frame.
Where PCI DSS Requirement 6.1 focused on identifying vulnerabilities and performing a risk ranking around them, Requirement 6.2 requires that you have a patching program. Where your risk ranking program has identified a risk as being high or urgent, we look to see that those particular patches are deployed in an appropriate amount of time. There’s really two call-outs within the PCI DSS. We have the critical or urgent that needs to be deployed within one month of their release, but secondary to that, there’s the all-other-security-related patches. The Council says these need to be deployed within an appropriate amount of time. Once again, these nebulous timeframes are really up to you to define. What is an appropriate amount of time? The PCI DSS recommends basically within three months. As an assessor, that’s kind of where we look. We understand that you have maintenance windows, but running a year without installing those patches is typically a pretty uncomfortable conversation to have.