PCI DSS Requirement 6 – Changes from v3.2.1 to v4.0 Explained

Contact Auditor
Published on : October 21, 2024

Welcome back to our series on PCI DSS Requirement Changes from v3.2.1 to v4.0. Today, we’re discussing Requirement 6, which is crucial for protecting cardholder data. It mandates the use of vendor-supplied security patches and secure coding practices for in-house developed applications. These measures help mitigate vulnerabilities that hackers could exploit. The requirement also emphasizes the importance of vigilance in identifying and remediating vulnerabilities. So, let’s get started! To learn more about the other requirements of PCI DSS, check out our comprehensive guide on the “12 requirements of PCI DSS.”

Below, we provide an explanation of the changes made in Requirement 6 from v3.2.1 to v4.0:

[table id=40 /]

[table id=41 /]

[table id=42 /]

[table id=43 /]

Organizations are required to maintain documented procedures that ensure their developers are well-versed in understanding potential threats. Moreover, developers should actively employ techniques to counter these threats in the software they build. 

In a broader perspective, version 4.0 mandates a flexible, risk-based approach to software security. This approach should be tailored to the organization’s unique environment and associated risks. The primary objective is to address common software vulnerabilities throughout the development process. 

[table id=44 /]

The requirement 6.3 of PCI DSS v4.0 provides more detailed guidelines for identifying and managing security vulnerabilities, maintaining software inventories, and installing security patches/updates. It expands the scope to include bespoke, custom, and third-party software components. 

[table id=45 /]

[table id=46 /]

PCI DSS v4.0 requirement 6.5 introduces several important changes aimed at improving security for organizations involved in handling cardholder data: 

  • Expanded Change Control: All system changes must follow secure, robust procedures. 
  • Compliance Re-verification: After significant changes, systems must be checked against all relevant PCI DSS standards. 
  • Enforced Isolation: Stricter separation between development/test and production environments. 
  • Accountability Focus: Separate personnel managing different environments promote responsibility. 

New Requirements: 

Requirement 6.1.2  

This requirement ensures everyone involved in security-related tasks knows their exact role and what’s expected of them. (It should be implemented immediately for v4.0 Assessments and it’s applicable to all entities.) 

  • Clear job descriptions should outline security responsibilities.  
  • Assign appropriate personnel to these roles officially.  
  • Communicate with staff to ensure they comprehend their security duties. 

Requirement 6.3.2: 

You need to track all the software you use, especially custom-made software, to fix security issues quickly. (This requirement is a best practice until 31 March 2025.) 

  • Maintain a comprehensive software list, encompassing custom and third-party components. 
  • Regularly review it for security vulnerabilities, applying patches.  
  • Compare the list with official documentation to ensure accuracy and completeness. 

Requirement 6.4.2: 

Protect your website from online attacks with specialized software. (This requirement is a best practice until 31 March 2025.) 

  • Employ specialized software, such as a Web Application Firewall (WAF), to safeguard against web attacks.  
  • Deploy it for public-facing websites.  
  • Keep the software running and up to date, logging its detections.  
  • Configure it for either automatic blocking or immediate alerts for investigation. 

Requirement 6.4.3: 

Control the scripts running on your payment pages to keep them secure. (This requirement is a best practice until 31 March 2025.) 

  • Establish clear guidelines for authorized scripts on payment pages.  
  • Verify scripts’ integrity and maintain a list with justifications for each script’s necessity.  
  • Implement official script management procedures within the company.  
  • Monitor staff adherence through interviews and record checks. 

 

Conclusion: 

In summary, PCI DSS v4.0 Requirement 6 emphasizes secure software development and vulnerability management with significant enhancements. Defined roles and responsibilities, alignment of custom code review and developer training, consolidation of secure coding practices, separate requirement for vulnerability management, elimination of manual web app assessments, and new mandates for change control and script management aim to strengthen system security. Robust patch management, strict change control, and secure coding practices are essential for protecting cardholder data. Visit VISTA InfoSec’s website for more information on PCI DSS Requirement 6 and related topics. Stay informed and secure. 

Lets us help you

Need help navigating PCI DSS v4.0? We have been active in the PCI DSS space since 2008 and even certify payment brand. Our PCI DSS services provide assurance on card security controls, with offerings for both product platform and backend services attestation.

We have a dedicated team of auditors and a separate team for consulting/advisory assignments to even help our esteemed clients to define processes and achieve compliance.

We have completed multiple PCI DSS 4.0 certifications too right from scoping to Readiness Assessment, Advisory and Final Certification.

We are vendor neutral and have a strict no-outsourcing policy. We can also assist you with the technical assessments needed for PCI DSS Compliance – Vulnerability Assessment, Penetration Testing, Network Segmentation Testing, Network Architecture Review, Firewall Assessment, Secure Configuration Assessment, Web and Mobile Application Security Assessment, and Secure Code Review.