PCI Requirement 6.7 – Ensure Policies and Procedures for Developing and Maintaining Secure Systems and Applications Are Documented, in Use, and Known to all Affected Parties

by Randy Bartels / October 13th, 2017

Documentation Requirements

PCI Requirement 6 pairs with PCI Requirement 5 to satisfy vulnerability management program expectations. PCI Requirement 6 states, “Develop and maintain secure systems and applications.” The purpose of this requirement is to build a process for securely managing the software within your environment. For this requirement, we’ve discussed the 18 sub-requirements and topics such as how to securely develop applications, common coding vulnerabilities, and how to ensure your applications are protected. Complying with PCI Requirement 6 will protect your organization’s applications from being susceptible to threats and vulnerabilities. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 6.7.

PCI Requirement 6.7 states, “Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be implementing what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are. If PCI Requirement 6.7 is not met, your systems and applications will be left vulnerable.

Once again, we come to the capstone for Requirement 6. You need to maintain a documentation program. The documentation must be fully documented, in use, and known to all affected parties. From an assessment perspective, we’re going to be looking at your paperwork, reviewing your SDLC and policies, and interviewing your staff to make sure that they understand and have applied the policies as you’ve defined them for your organization.