What is PCI-DSS Requirement 6?
PCI-DSS Requirement 6 suggests that businesses should ensure that all systems and applications developed or used by the company are secured. This requirement also deals with patch management and addressing vulnerabilities.
By implementing watertight coding standards that are regularly reviewed, especially when it comes to your application environment, you can protect your business from experiencing an attack or a breach.
PCI-DSS 6.1: Rank vulnerabilities based on severity.
This requirement calls for companies to establish processes for identifying and addressing vulnerabilities that may impact the security of their internal systems and applications.
Verified outside sources, such as the Common Vulnerabilities and Exposures (CVE) list, would need to inform how these vulnerabilities are addressed. This also requests that companies assign risk rankings in order of severity (low, medium, high) to all vulnerabilities that have been identified.
An external assessor will also interview the relevant personnel to confirm that the controls are being performed correctly.
PCI-DSS 6.2: Patches need to be applied for all known security vulnerabilities.
Businesses must ensure they are protected against all known vulnerabilities by installing security patches as soon as they’re made available by vendors. These critical patches cannot be installed any later than a month after their production, and necessity will depend on the affected network’s risk ranking.
As with PCI-DSS Requirement 6.1., a qualified assessor will also need to scan a sample of the business’ system components. These results will be cross-referenced with your vendors’ lists of relevant and available patches so that they can be installed in the right time frame.
PCI-DSS 6.3: Develop all apps securely.
This requirement calls for the secure development of internal, external and web apps through the following sub-sub requirements:
- PCI-DSS 6.3.1 – Remove all accounts and settings created for either development or testing purposes before making apps or software usable by clients or publicly available.
- PCI-DSS 6.3.2 – Review all custom code for vulnerabilities, whether manually or through an automation process, before making apps or software usable by clients or publicly available.
PCI-DSS 6.4: Install processes and procedures for change control.
Companies must ensure all relevant personnel follow change control procedures, including:
- PCI-DSS 6.4.1 – Separate all development or test environments from production environments.
- PCI-DSS 6.4.2 – Separate the duties between development and production environments.
- PCI-DSS 6.4.3 – Ensure all production data is not used for development or testing.
- PCI-DSS 6.4.4 – Remove any test-related data from all components before activation.
- PCI-DSS 6.4.5 – Implement the change control procedures, which include:
- Documentation of change impact and approval.
- Testing of functionality and back-out procedures.
- PCI-DSS 6.4.6 – Implement all PCI-DSS Requirements once changes have been made.
PCI-DSS 6.5: Address all frequent development vulnerabilities.
This sub-requirement covers the controls for mitigating the most frequent vulnerabilities in coding.
- PCI-DSS 6.5.1 – Protect against all injection flaws for all applications.
- PCI-DSS 6.5.2 – Protect against all buffer overflow or buffer overrun vulnerabilities.
- PCI-DSS 6.5.3 – Protect against all insecure cryptographic key storage.
- PCI-DSS 6.5.4 – Protect against insecure communications and traffic.
- PCI-DSS 6.5.5 – Protect against all improper error-handling behaviours by relevant users.
- PCI-DSS 6.5.6 – Protect against all threats rated as high risk.
- PCI-DSS 6.5.7 – Protect against cross-site scripting (XSS) risks across web apps.
- PCI-DSS 6.5.8 – Protect against improper access control measures across web apps.
- PCI-DSS 6.5.9 – Protect against cross-site request forgery (CSRF) across web apps.
- PCI-DSS 6.5.10 – Protect against authentication management flaws across web apps.
PCI-DSS 6.6: Adjust for New and Known Threats in Web Apps
PCI-DSS Requirement 6.6 requires that businesses review all publicly available web applications to ensure that external users do not become victims of threats. These reviews should be either automated or manual but will need to be performed annually.
Your business may also be able to install an automated detection or prevention solution for your web apps to monitor traffic.
PCI-DSS 6.7: Document all system and application controls.
As with all other PCI-DSS requirements, you will also need to formally document this process. This will need to be in use throughout the company and with stakeholders who will also need to comply with the sub-requirements.
Achieve PCI-DSS compliance with Hicomply
If you’re looking to meet all the PCI-DSS requirements, including PCI-DSS Requirement 6, we can help. At Hicomply, we know that the process can seem long-winded and confusing, which is why we offer a full ISMS solution that allows you to keep everything you need to achieve certification in one place. Contact us today for a demo.