PCI compliance requirement 6: Systems and applicationsDate: Jun 01, 2009
Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 6: "Develop and maintain secure systems and application" To meet PCI compliance requirement 6, you must:
- Use secure coding techniques and test applications for security
- Have processes to ensure that systems are secure against vulnerabilities
The experts also address common questions related to PCI compliance requirement 6, like "What's better: application firewalls or code review?"
Watch the rest of the PCI compliance videos, as Diana and Ed review each particular requirement.
Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:
- Version 1.2 of PCI DSS answers questions, raises others
- PCI version 1.2 clarifications: How to get an early start on compliance audits
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
PCI compliance requirement 6: Systems and applications
Ed Moyle: I am Ed Moyle, and I am a QSA or Qualified Security Assessor, and
this is . . .
Diana Kelley: I am Diana Kelley, and I am a partner at Security Curve.
Ed Moyle: Welcome back. Requirement 6: Develop and Maintain Secure Systems and
Applications. This means that the applications you develop, you are
going to develop them according to secure coding practices. You are
going to evaluate them to make sure that they are tested, reviewed,
and so forth. For your systems, for your actual operating systems,
middleware systems and so on, that you are going to follow a process
that ensures that they are patched and so forth over time. We hear a
lot of questions about this requirement. As of June 30, you may be
familiar or aware of this, but there is new requirement that external
web apps will need to have either an application layer firewall, and
that is the way it reads in the requirement, or external review,
review by an external party. One of the questions we hear a lot is,
"What is that? What is an application layer firewall?"
Diana Kelley: It is interesting because a lot of people decided it was a web
Ed Moyle: That is true.
Diana Kelley: That was the only thing that would suffice. It is not written
that way in the standard, and we do not know how it will be or if it
will be updated before June. Something that is interesting is the
application layer. I think it was February 5th, Cisco said, "We are
not pulling the PIX anymore, now that it is already adopted the
security appliance with the industry content and application
Check Point, also, another big, standard, traditional
firewall vendor, having more application awareness in there. Do you
need a web application firewall? Not necessarily, at this point. Look
at what you are using for a firewall, talk to your QSA. You may
actually already be meeting that requirement with what you are using.
Ed Moyle: A little bit of advice here. If you have something that may or may
not be a gray area -- somebody could build a case or make an argument
that the PIX, for example, is an application layer firewall -- it is
certainly marketed that way. If you are going to do that, then my
advice to you would be to document why it is that you think it
fulfills the requirement so that your QSA can evaluate that when they
come on site.
Diana Kelley: Your quick hits on this requirement are: make sure you have got
change control procedures in place. Do those code reviews. There are
tools that can help you with code reviews, data code analysis, for
example, but you need to make sure that you have looked at that code
before you deploy it. You can use the PADSS, an approved point of sale
system. That means your vendor is working on making sure that they
have done the application and system assessment. Again, it is limited
scope, but you only need to assess the systems that you are developing and
putting into place. Big 'gotcha' for your quick hit to remember: you
cannot use actual data to test on. You need to have tester dummy data
or scrub data, and keep your test and your production environment