PCI DSS Requirement 6 Best Practices for Secure Systems

To ensure secure systems for PCI DSS Requirement 6, it's essential to implement a robust change control process. This process should include a formal change management policy, which outlines the procedures for requesting, approving, and implementing changes to systems and applications.

Regularly reviewing and updating this policy is crucial, as it should be aligned with the organization's changing needs and security requirements. A recent example of this can be seen in a company that updated its policy to include a risk assessment for all changes, which helped identify and mitigate potential security vulnerabilities.

Implementing a change management tool can also streamline the process and provide a centralized repository for change requests and approvals. This can help reduce errors and improve compliance with PCI DSS Requirement 6.

By following these best practices, organizations can ensure that their systems and applications are secure and compliant with PCI DSS Requirement 6.

Firewall and Network Security is a critical aspect of PCI DSS requirement 6. You'll need to properly configure your firewall and routers to protect your payment card data environment.

Firewalls restrict incoming and outgoing network traffic, acting as the first line of defense against hackers. Establish firewall and router rules and standards to determine which types of traffic are allowed and which aren't.

Meeting the PCI DSS firewall requirements is the first step towards organizational compliance, so take the necessary steps to ensure your network is secure.

Installing a firewall is a crucial step in protecting your payment card data environment. Firewalls restrict incoming and outgoing network traffic, making them the first line of defense against hackers.

To properly configure your firewall, you'll need to establish rules and standards that determine which types of traffic are allowed and which aren't. Firewalls and routers must be configured to protect your payment card data environment.

Firewall and router rules should be regularly reviewed and updated to ensure they remain effective. This will help prevent unauthorized access to your network.

Inappropriate access control is a major vulnerability in network security. Attackers can exploit direct object references to access unauthorized objects.

A direct object reference occurs when a developer presents a reference to an internal application object as a URL or form parameter. This can be exploited by changing the reference to access other unauthorized objects.

Attackers can enumerate and navigate the directory structure of a website to gain access to unauthorized information and learn more about the site's functioning for later exploitation.

Limiting access to data sources is crucial to prevent cardholder data from being made available to unauthorized sources. Only authorized users should be allowed to access direct object references to sensitive resources.

To prevent direct object reference vulnerabilities, developers must use coding techniques that include sanitizing entries and not disclosing internal object references to users.

Here are some best practices to follow:

Data protection is a top priority for any business handling cardholder data. You need to know where cardholder data is going, the location it will be stored, and for exactly how long.

Cardholder data must be encrypted using industry-accepted algorithms and security keys. This means that primary account numbers (PAN) should not be stored in an unencrypted fashion.

Using a card data discovery tool can help identify where cardholder data is being stored. This is especially useful for companies that aren't aware of where their data is being stored.

Insecure cryptographic storage can expose authentication information or cardholder data. To prevent this, you should use strong cryptographic algorithms and keys.

Here are some coding techniques to handle insecure cryptographic storage:

To deploy secure systems and applications, you'll need to define and implement processes to identify and classify risk. This includes conducting a thorough risk assessment to manage and utilize technology in compliance with PCI standards.

A risk assessment is crucial to identify and classify risk for the sake of technology deployment. Without one, it's impossible to manage and utilize technology in compliance with PCI standards.

You should enlist a PCI compliance partner to help vet new hardware or software to ensure it's secure. This includes installing vendor-specified updates or security patches within one month of release.

All personnel involved in software development must be trained on security best practices relevant to their respective roles. This enables personnel to prevent, identify, and fix any security issues before they're introduced into any production environment.

To develop custom software securely, you should base it on industry standards and best practices for secure development, in accordance with PCI DSS. This includes reviewing custom software prior to release into production to identify and correct potential coding vulnerabilities.

You should maintain an inventory of custom software and third-party components incorporated into software to facilitate vulnerability and patch management. This includes protecting all system components from known vulnerabilities by installing applicable security patches and updates.

Public-facing web applications should be protected against attacks by consistently scanning these applications and implementing automated processes to detect and mitigate any attacks that could occur. This includes deploying an automated technical solution that continually detects and prevents web-based attacks.

To address common coding vulnerabilities in software development processes, you should train software developers at least annually in current secure coding techniques, including how to avoid common coding exploits. This includes developing applications based on secure coding guidelines.

In software development policies and procedures, broken authentication and session management should be handled with coding techniques that include marking session tokens as “secure” and not exposing session identifications in the URL.

To protect sensitive data and systems, you should review web-facing web applications through manual or automated application vulnerability assessment tools or methods at least annually and after any changes. This includes installing an automated technical solution that detects and prevents attacks on the web.

Here's a list of essential steps to follow:

Change management is a crucial aspect of PCI DSS requirement 6. It involves managing changes to system components, including hardware and software updates, security patches, and new system installations. Proper change management helps prevent unintended consequences and ensures the security of the system.

The impact of a change must be documented, so all affected parties can plan accordingly. This includes analyzing the possible effects of the change in advance.

Documented change approval by authorized parties indicates that the change is legitimate and approved by the organization. Extensive testing should be done to verify that the security of the environment is not compromised.

Back-out procedures should be established for each change, allowing the system to revert to its previous state if the change fails or adversely affects the security.

Here are the key components of a change management process:

In addition to these components, change management procedures should be applied to all changes, including the addition, removal, or modification of any system component. Reasons for any change should be documented, and the impacts of the change should be documented as well.

Here are some specific requirements for change management:

Secure software development is a critical aspect of PCI DSS requirement 6. It's essential to address common coding vulnerabilities in software development processes to prevent security breaches.

Organizations should have staff knowledgeable about secure coding guidelines to minimize vulnerabilities caused by poor coding practices. This can be achieved through in-house or third-party training, which must be valid for the technology used.

To ensure secure software development, organizations should follow industry best practices such as OWASP Guidelines, SANS CWE Top 25, and CERT Secure Coding. They should also validate user data to prevent injection flaws and use parameterized queries to prevent SQL injection attacks.

Here's a list of key considerations for secure software development:

Never rely on the default settings for any servers, network devices, or software applications. This includes wifi routers, firewalls, and more. Vendor-supplied defaults are often insufficient to meet PCI standards.

To ensure security, you must upgrade your settings for all new devices and hardware. This is a PCI DSS standard requirement.

For example, when vetting new hardware or software, enlist a PCI compliance partner to help ensure it's secure. This is a crucial step in the deployment process.

Make sure to install any vendor-specified updates or security patches within one month of release. This includes patches for items like databases, point-of-sale terminals, and operating systems.

Don't forget to develop any internal software applications with PCI compliance measures in mind. This will save you time and hassle in the long run.

Here's a quick checklist to help you get started:

By following these steps, you'll be well on your way to eliminating vendor defaults and ensuring the security of your software applications.

Developing secure software applications is a top priority for any organization that wants to protect its customers' sensitive data. This involves addressing common coding vulnerabilities in software development processes.

To do this, developers should receive training at least annually in current secure coding techniques, including how to avoid common coding exploits. This training should be valid for the technology used and updated regularly to address new threats.

Injection flaws, such as SQL injection, are a common method used by attackers to gain unauthorized access to applications. To prevent this, data should be validated before sending it to the application, and only required characters should be allowed.

Injection flaws in software development policies and procedures should be addressed with coding techniques including:

Developers should also be trained on secure software design and coding techniques, and how to use tools for detecting vulnerabilities in software. This training should be provided at least once every 12 months.

Custom software should be reviewed prior to release into production, to identify and correct potential coding vulnerabilities. This review should include checking for common software attacks and related vulnerabilities.

To prevent cross-site scripting (XSS) attacks, data should not be accepted without validation, and characters that seem unnecessary should be cut off.

Deploying secure systems and applications is a must for any business handling sensitive payment card information. This includes defining and implementing processes to identify and classify risk for the sake of technology deployment.

A thorough risk assessment is necessary to manage and utilize technology in compliance with PCI standards. This involves rolling out equipment and software used in processing or handling sensitive payment card information, and applying patches in a timely manner.

Scanning for authorization, integrity, and justification across scripts on payment pages requires robust visibility and reporting infrastructure. This includes setting up scans at regular intervals and checking all scripts against PCI rules to identify and address deviations as soon as possible.

Custom software is developed securely by considering security as a primary factor during the definition, design, and testing phases of software development. This involves training personnel on security best practices relevant to their respective roles.

Security vulnerabilities are identified and addressed by classifying risks into categories and prioritizing the highest risk items first. This includes maintaining an inventory of custom software and third-party components, and protecting system components from known vulnerabilities by installing applicable security patches and updates.

Here are the five sections that detail the procedures to develop and maintain secure systems and software:

As part of PCI DSS Requirement 6, protecting your website from online attacks is crucial. This is where specialized software comes in, such as a Web Application Firewall (WAF).

Employing a WAF can safeguard against web attacks, and it's a best practice until March 31, 2025. This type of software can be deployed for public-facing websites, and it's essential to keep it running and up to date, logging its detections.

Configuring the WAF for automatic blocking or immediate alerts for investigation is also vital. This will help you stay on top of potential threats and ensure your website remains secure.

Here are some key steps to consider when implementing a WAF:

Basis Theory provides a platform and infrastructure to secure cardholder data in minutes without the need for hundreds of thousands of dollars and months to implement and assess.

This platform extends an independently assessed and approved CDE to customers, allowing companies to collect, secure, and share credit cards without bringing their systems into scope.

Companies can avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.

Basis Theory is a PCI Level 1 compliant service provider, which means their solution meets the highest standards for securing cardholder data.

By using Basis Theory, companies can simplify their payment stack and reduce the complexity of PCI DSS compliance.