PCI Readiness Series: PCI Requirements 5 and 6

by KirkpatrickPrice / October 8th, 2015

This session in our PCI Readiness Series highlights PCI Requirements 5 and 6, which work together to help organizations build and maintain a vulnerability management program. PCI Requirement 5 states, “Protect all systems against malware and regularly update anti-virus software or programs.” PCI Requirement 6 states, “Develop and maintain secure systems and applications.”

What is Requirement 5?

There are more people than you think looking to harm your environment. PCI Requirement 5 specifically calls out that your organization should protect against malware and use anti-virus software. Malware constantly shows up in today’s headlines. Malware could be viruses, worms, ransomware, Trojans, etc. Your organization should take every precaution possible to prevent a potential attack. This webinar discusses the following sub-requirements:

Requirement 5.1 – Deploy anti-virus software on all systems commonly affected by malicious software, particularly personal computers and servers.

Requirement 5.2 – Ensure that all anti-virus mechanisms are maintained.

Requirement 5.3 – Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

Requirement 5.4 – Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.

What is Requirement 6?

Complying with PCI Requirement 6 will help your organization build a vulnerability management program that develops and maintains secure systems and applications. Attackers often use common security vulnerabilities to gain entry to systems in the targeted environment. Many common security vulnerabilities could be fixed with vendor-supplied security patches, but the issue arises when those patches are installed too late or not at all. The PCI DSS calls for all systems and applications to have all appropriate security patches implemented within an appropriate period of time in order to protect the cardholder data environment. This requirement is directed towards all applications in your environment, not just applications you’ve bought commercially or ones that you’ve developed. This webinar discusses the following sub-requirements:

Requirement 6.1 – Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.

Requirement 6.2 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

Requirement 6.3 – Develop internal and external software applications in accordance with PCI DSS, based on industry standards or best practices, and incorporate information security throughout the software-development life cycle.

Requirement 6.4 – Follow change control processes and procedures for all changes to system components.

Requirement 6.5 – Address common coding vulnerabilities in software-development processes.

Requirement 6.6 – For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.

Requirement 6.7 – Ensure that security policies and operational procedures for developing and maintain secure systems and applications are documented, in use, and known to all affected parties.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.