6 — Develop and Maintain Secure Systems and Software
18 requirements in the Develop and Maintain Secure Systems and Software requirement
6.1.1All security policies and operational procedures that are identified in Requirement 6 are: Documented.
6.1.2Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.
6.2.1Bespoke and custom software are developed securely, as follows: Based on industry standards and/or best practices for secure development.
6.2.2Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: On software security relevant to their job function and development languages.
6.2.3Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows: Code reviews ensure code is developed according to secure coding guidelines.
6.2.4Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities for bespoke and custom software, including but not limited to the following: Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
6.3.1Security vulnerabilities are identified and managed as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
6.3.2An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.
6.3.3All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.
6.4.1For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: At least once every 12 months and after significant changes.
6.4.2For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
6.4.3All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized.
6.5.1Changes to all system components in the production environment are made according to established procedures that include: Reason for, and description of, the change.
6.5.2Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable.
6.5.3Pre-production environments are separated from production environments and the separation is enforced with access controls.
6.5.4Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.
6.5.5Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements.
6.5.6Test data and test accounts are removed from system components before the system goes into production.