PDA

View Full Version : [PCI_DSS] Requirement 6: Develop and maintain secure systems and applications

  1. 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.
  2. 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues.
  3. 6.3 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle.
  4. 6.3.1 Testing of all security patches and system and software configuration changes before deployment
  5. 6.3.2 Separate development, test, and production environments
  6. 6.3.3 Separation of duties between development, test, and production environments
  7. 6.3.4 Production data (live PANs) are not used for testing or development
  8. 6.3.5 Removal of test data and accounts before production systems become active
  9. 6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers
  10. 6.3.7 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
  11. 6.4 Follow change control procedures for all system and software configuration changes. The procedures must include the following:
  12. 6.4.1 Documentation of impact
  13. 6.4.2 Management sign-off by appropriate parties
  14. 6.4.3 Testing of operational functionality
  15. 6.4.4 Back-out procedures
  16. 6.5 Develop all web applications based on secure coding guidelines. such as the Open Web Application Security Project Guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:
  17. 6.5.1 Unvalidated input
  18. 6.5.2 Broken access control (for example, malicious use of user IDs)
  19. 6.5.3 Broken authentication and session management (use of account credentials and session cookies)
  20. 6.5.4 Cross-site scripting (XSS) attacks
  21. 6.5.5 Buffer overflows
  22. 6.5.6 Injection flaws (for example, structured query language (SQL) injection)
  23. 6.5.7 Improper error handling
  24. 6.5.8 Insecure storage
  25. 6.5.9 Denial of service
  26. 6.5.10 Insecure configuration management
  27. 6.6 Ensure that all web-facing applications are protected against known attacks by either of the following methods: * Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security * Installing an application-layer firewall in front of web-facing applications Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.