PCI Requirement 6.4 – Follow Change Control Processes and Procedures for all Changes to System Components

by Randy Bartels / October 13th, 2017

Follow Your Change Control Program

Most, if not all, security programs require that you have some type of Change Control Program. At the start of our PCI Demystified journey, we discussed Change Control Programs. In PCI Requirement 6.4, this point is reiterated. PCI Requirement 6.4 states, “Follow change control processes and procedures for all changes to system components.” Your organization should have the appropriate methods to control any changes in to and out of your environment. PCI Requirement 6.4 requires that your organization’s Change Control Program includes a documented roll-back plan, a testing phase, management’s approval, and updated documentation. The PCI DSS warns, “Without properly documented and implemented change controls, security features could be inadvertently or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.”

  • Roll-Back Plan – A documented roll-back plan is crucial to your Change Control Program. This documentation should outline exactly how to roll back changes in the event that something goes wrong or there’s a negative impact.
  • Testing Phase – All changes need to be tested to ensure there is no negative impact on the cardholder data environment. Testing the roll-back plan shows an assessor your organization’s level of maturity.
  • Management’s Approval – Management needs to approve all aspects of the Change Control Program.
  • Updated Documentation – Any time there is a significant change within your environment, you must ensure that all documentation is updated, including network diagrams, data flow diagrams, and inventory lists. Until documentation is updated, the change control should be left open.

When determining your compliance with PCI Requirement 6.4, your auditor will examine policies and procedures related to your Change Control Program to verify that you’ve defined the following:

  • Development and testing environments are separate from production environments, plus there are access controls in place to enforce this separation.
  • A separation of duties between the employees assigned to the development and testing environments and those assigned to the production environment.
  • Production data (live PANs) are not used for testing or development and, vice versa, test data is removed before a system or application goes into production.
  • Change control procedures related to security patches and software modifications are documented.

It’s vital to follow change control processes and procedures for all changes to system components. If not, according to PCI Requirement 6.4, security features could be unintentionally or deliberately omitted or rendered inoperable, processing irregularities could occur, or malicious code could be introduced.

Most, if not all, security programs or audit programs require that you have some type of change control program. The PCI DSS is no stranger to this as well. PCI Requirement 6.4 specifically calls out that you have a change control program. I’m going to talk about all the change control requirements here within this one video. This change control program needs to have the following things documented. One, you need to have a documented roll-back plan. The level of narrative that you provide as part of this roll-back plan should be at that level that six months from now, you could roll-back that application in the event that something’s going wrong.

You need to test that particular change, making sure that there’s no negative impact to the environment. When we look to see if you tested the application, one of the things that shows us maturity within your program is that you’ve actually tested the roll-back plan to make sure that works and that it doesn’t negatively impact the cardholder data.

We want to make sure that management is approving these changes. As part of any significant change within your environment, we’ve mentioned this in some of the other videos, there might be the need to update your network diagram, there might be a need to update your dataflow diagram, and there might be a need to alter your inventory list. We recommend that you keep the change control open until such time that this documentation has been updated.