PCI 6:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Requirement 6: Develop and maintain secure systems and applications and implement Strong Access Control Measures.

  • Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed via vendor security patches, and all systems should have current software patches to protect against exploitation by employees, external hackers, and viruses. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.



PCI-6.1 Ensure that all system components and software have the latest vendor-supplied security patches.


PCI-6.1.1 Install relevant security patches within one month of release.



PCI-6.2 Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet). Update your standards to address new vulnerability issues.



PCI-6.3 Develop software applications based on industry best practices and include information security throughout the software development life cycle.


  • Include the following:


PCI-6.3.1 Testing of all security patches and system and software configuration changes before deployment.


PCI-6.3.2 Separate development, test, and production environments.


PCI-6.3.3 Separation of duties between development, test, and production environments.


PCI-6.3.4 Production data (real credit card numbers) are not used for testing or development.


PCI-6.3.5 Removal of test data and accounts before production systems become active.


PCI-6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers.


PCI-6.3.7 Review of custom code prior to release to production or customers, to identify any potential coding vulnerability.



PCI-6.4 Follow change control procedures for all system and software configuration changes.


  • The procedures should include the following:


PCI-6.4.1 Documentation of impact.


PCI-6.4.2 Management sign-off by appropriate parties.


PCI-6.4.3 Testing that verifies operational functionality.


PCI-6.4.4 Back-out procedures.



PCI-6.5 Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities.


  • See www.owasp.org - “The Ten Most Critical Web Application Security Vulnerabilities.”


  • Cover prevention of common coding vulnerabilities in software development processes, to include:


PCI-6.5.1 Unvalidated input.


PCI-6.5.2 Broken access control (e.g., malicious use of user IDs).


PCI-6.5.3 Broken authentication/session management (use of account credentials and session cookies).


PCI-6.5.4 Cross-site scripting (XSS) attacks.


PCI-6.5.5 Buffer overflows.


PCI-6.5.6 Injection flaws (e.g., SQL injection).


PCI-6.5.7 Improper error handling.


PCI-6.5.8 Insecure storage.


PCI-6.5.9 Denial of service.



PCI-6.5.10 Insecure configuration management.


  • Implement Strong Access Control Measures.


--Mdpeters 11:25, 7 July 2006 (EDT)

Retrieved from "http://horseproject.wiki/index.php?title=PCI_6:&oldid=3492"