PCI Requirement 6 - Patches and Scanning and Coding, Oh My!

This is the sixth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process.

To view the previous posts in this series, follow the links below:

PCI Requirement 1 - Defending the Wall

PCI Requirement 2 - Change Your Defaults!

PCI Requirement 3 - Don't Store Cardholder Data!

PCI Requirement 4 - Hide in Plain Sight!

PCI Requirement 5 - Update and Scan

PCI requirement 6: Develop and Maintain Secure Systems and Applications

Requirement 6 joins the previous requirement in and around Anti-virus/Anti-Malware within the Vulnerability Management program section of the PCI requirements. This requirement will help you build a vulnerability management program that will ensure the development and maintenance of secure systems and applications. Patching and vulnerability scanning are critical components to this PCI requirement as it means there are some tools that need to be involved. Below I will discuss some challenges companies face when trying to meet this requirement. If your organization does application development for your PCI environment, there are a number of different pieces requirement 6 will make you comply with. These include formal software development procedures, formal code testing and deployment, as well as ensuring your developers are up-to-date on their secure coding techniques. These pieces of the program are not one and done, these are ongoing and fundamental to the PCI world you may live in.

Some of the areas where we see companies that must achieve and/or maintain PCI Compliance face challenges within requirement 6 include:

1. More Tools are Needed - Between patching, scanning, code testing and deployment, there could be some significant costs involved to acquire all of the tools necessary.
2. Training Developers on Secure Coding - Ongoing training on the latest techniques and secure coding methods are critical to ensuring you meet requirement 6. This does take time away from actual workable hours but is well worth it. It will start the process of instilling of a “security first” culture in your company.
3. Developer Resources – Code reviews can be a manual process. This leads to additional time required for internal resources to complete the review which can cost the company money. If an entity does not have enough qualified personnel in-house to complete the code review, a third-party or automated tool is needed to satisfy the requirement, thus increasing the costs associated with outsourcing or as discussed in point number 1, acquiring more tools.

The good news is that, as a Qualified Security Assessor (QSA), Compass is well versed in the PCI compliance space and can help your company determine what you need to do to comply with the latest version of the PCI Data Security Standard.

These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!