Auditor Tips: Requirement 6: System Updating And Software Development

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.

System administrators have the responsibility to ensure that all system components (e.g., servers, firewalls, routers, workstations) and software are updated with critical security patches within 30 days of public release. If not, these components and software are vulnerable to malware and security exploits.

Quickly implementing security updates is crucial to your security posture.

Systems or software might be excluded from updates because they weren’t able to communicate with the update server (e.g., WSUS, Puppet). This broken communication could have resulted from a network or system configuration change. It’s imperative that system administrators are alerted when security updates fail.

Another important subsection of requirement 6 is the need to have proper change control processes and procedures. Change control processes should include at least the following:

• Development/test environments must be separate from production with proper access control in place to enforce access rights.
• Separation of duties must be implemented between personnel assigned to development/test environments and those assigned to production.
• Production data (e.g., live credit card numbers, live personally identifiable information) must never be used in test/development environments.
• All test data and accounts must be removed before a production system becomes active.
• Change control procedures related to implementing security patches and software modifications must be documented.

Companies need to embrace the idea of change control for their software development and system patching/updating. There are four requirements detailed by the PCI Council of what a proper change control procedure must contain:

• Changes must have a documented explanation of what will be impacted by the change.
• Changes must have documented approval by authorized parties.
• Changes to an organization’s production environment must undergo proper iterations of testing and QA before being released into production.
• Change control procedures must always include a back-out or roll-back procedure in case the updates go awry.

When developing software (e.g., web applications), it’s crucial that organizations adopt industry-accepted standards or best practices for coding, such as OWASP. This will guide them in enforcing secure coding practices in their application development process and keep software code safe from malicious vulnerabilities (e.g., cross-site scripting, SQL injection, insecure communications, CSRF).

Insecure communications, for example, have been in the spotlight since SSL and TLS 1.0 are no longer considered acceptable protocols when data is being transmitted over open, public networks. Everyone should be on TLS 1.2+ now.

PCI DSS v4.0 Considerations for Requirement 6

Requirements have been moved around and grouped together where they are related.

New requirements have been added, notably that all scripts loaded onto the payment page of the consumer’s browser must be managed. New solutions and services are being developed to assist with.

Also, a web application firewall is no longer optional.