PCI compliance requirement 6: Systems and applications

PCI compliance requirement 6: Systems and applications

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 6: "Develop and maintain secure systems and application" To meet PCI compliance requirement 6, you must:

  • Use secure coding techniques and test applications for security
  • Have processes to ensure that systems are secure against vulnerabilities

The experts also address common questions related to PCI compliance requirement 6, like "What's better: application firewalls or code review?"

Watch the rest of the PCI compliance videos, as Diana and Ed review each particular requirement.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 6: Systems and applications

Ed Moyle: I am Ed Moyle, and I am a QSA or Qualified Security Assessor, and

      this is . . .

 

Diana Kelley: I am Diana Kelley, and I am a partner at Security Curve.

 

Ed Moyle: Welcome back. Requirement 6: Develop and Maintain Secure Systems and

      Applications. This means that the applications you develop, you are

      going to develop them according to secure coding practices. You are

      going to evaluate them to make sure that they are tested, reviewed,

      and so forth. For your systems, for your actual operating systems,

      middleware systems and so on, that you are going to follow a process

      that ensures that they are patched and so forth over time. We hear a

      lot of questions about this requirement. As of June 30, you may be

      familiar or aware of this, but there is new requirement that external

      web apps will need to have either an application layer firewall, and

      that is the way it reads in the requirement, or external review,

      review by an external party. One of the questions we hear a lot is,

      "What is that? What is an application layer firewall?"

 

Diana Kelley: It is interesting because a lot of people decided it was a web

      application firewall.

 

Ed Moyle: That is true.

 

Diana Kelley: That was the only thing that would suffice. It is not written

      that way in the standard, and we do not know how it will be or if it

      will be updated before June. Something that is interesting is the

      application layer. I think it was February 5th, Cisco said, "We are

      not pulling the PIX anymore, now that it is already adopted the

      security appliance with the industry content and application

      awareness."

 

Check Point, also, another big, standard, traditional

      firewall vendor, having more application awareness in there. Do you

      need a web application firewall? Not necessarily, at this point. Look

      at what you are using for a firewall, talk to your QSA. You may

      actually already be meeting that requirement with what you are using.

 

Ed Moyle: A little bit of advice here. If you have something that may or may

      not be a gray area -- somebody could build a case or make an argument

      that the PIX, for example, is an application layer firewall -- it is

      certainly marketed that way. If you are going to do that, then my

      advice to you would be to document why it is that you think it

      fulfills the requirement so that your QSA can evaluate that when they

      come on site.

 

Diana Kelley: Your quick hits on this requirement are: make sure you have got

      change control procedures in place. Do those code reviews. There are

      tools that can help you with code reviews, data code analysis, for

      example, but you need to make sure that you have looked at that code

      before you deploy it. You can use the PADSS, an approved point of sale

      system. That means your vendor is working on making sure that they

      have done the application and system assessment. Again, it is limited

      scope, but you only need to assess the systems that you are developing and

      putting into place. Big 'gotcha' for your quick hit to remember: you

      cannot use actual data to test on. You need to have tester dummy data

      or scrub data, and keep your test and your production environment

      separate.

More on PCI Data Security Standard

Back to top