Requirement 6: Develop and maintain secure systems and applications

Much of requirement 6 applies only to organizations that develop applications that are used in your cardholder data environment such as websites and APIs that accept payments, or applications that process cardholder information. However, there are parts of requirement 6 that apply to all organizations, even if no development is performed:

A process must be in place to identify relevant security vulnerabilities as they emerge. Reputable industry resources such as Microsoft Security Bulletins and Cisco Security Advisories should be monitored to identify new threats such as operating system vulnerabilities and critical paches. All identified vulnerabilities should be assigned a risk ranking such as “high”, “medium”, or “low” based on the risk and critical nature of affected systems so that risk mitigation efforts can be prioritized appropriately. All systems and software must be protected from known vulnerabilities by installing critical security patches within one month of release, and all non-critical security releases should be installed within about three months of release.

Documented change control records and a testing environment should be used to verify the proper functionality of new systems and changes before they are implemented in the production environment. Live card numbers must not be used for testing purposes, and all test accounts must be removed from systems before they are migrated to the production environment. A separation of duties must be maintained such that the same username and password combinations are not used for both the test and production environments.

Organizations that develop applications for use in the CDE must also maintain the following requirements:

All custom code must be reviewed by someone other than the author and approved by management before it is pushed to the production environment. All developers must be trained annually to avoid common security vulnerabilities such as those outlined in the OWASP Top Ten or SANS Top Twenty Five Software Errors. Training records must be maintained to include course topics and attendance/completion records for all developers. (Topics that must be included in developer training are contained in requirements 6.5.1 through 6.5.10).

Custom public-facing web applications must be further protected from web-based attacks by annual code scanning or a web application firewall. Code scanning utilities are often used to meet this requirement. Code scanning reports should be maintained for review and demonstration of compliance.

Go on to Requirement 7 - Restricted Access.

Go back to Requirement 5 - Anti Virus and Malware.