Category: PCI DSS Requirement 6

Develop and Maintain Secure Systems and Software

Security flaws can be exploited by attackers to gain privileged access to systems. Vendor-provided security patches, which must be installed by the entities that manage the systems, are responsible for fixing many of these vulnerabilities. To safeguard against the exploitation and compromise of cardholder data by malicious individuals and their malicious software, all relevant software patches must be installed on all system components.

Software patches that have been sufficiently evaluated and tested to ensure that they do not conflict with existing security configurations are considered appropriate. Using secure coding methods and software lifecycle (SLC) processes for custom or bespoke software, numerous vulnerabilities can be avoided and thus mitigation of potential successful attacks.

PCI DSS assessments are also applicable to code repositories that store application code, system configurations, or other configuration data that may have an effect on the security of cardholder data or the CDE.

There is a special relationship between PCI DSS Requirement 6 and the PCI SSC Software Standards and these should be reviewed in tandem.