PCI compliance requirement 6: Systems and applications

PCI compliance requirement 6: Systems and applications

PCI compliance requirement 6: Systems and applications

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 6: "Develop and maintain secure systems and application" To meet PCI compliance requirement 6, you must:

  • Use secure coding techniques and test applications for security
  • Have processes to ensure that systems are secure against vulnerabilities

The experts also address common questions related to PCI compliance requirement 6, like "What's better: application firewalls or code review?"

Watch the rest of the PCI compliance videos, as Diana and Ed review each particular requirement.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.  

PCI compliance requirement 6: Systems and applications

Ed Moyle: I am Ed Moyle, and I am a QSA or Qualified Security Assessor, and

      this is . . .


Diana Kelley: I am Diana Kelley, and I am a partner at Security Curve.


Ed Moyle: Welcome back. Requirement 6: Develop and Maintain Secure Systems and

      Applications. This means that the applications you develop, you are

      going to develop them according to secure coding practices. You are

      going to evaluate them to make sure that they are tested, reviewed,

      and so forth. For your systems, for your actual operating systems,

      middleware systems and so on, that you are going to follow a process

      that ensures that they are patched and so forth over time. We hear a

      lot of questions about this requirement. As of June 30, you may be

      familiar or aware of this, but there is new requirement that external

      web apps will need to have either an application layer firewall, and

      that is the way it reads in the requirement, or external review,

      review by an external party. One of the questions we hear a lot is,

      "What is that? What is an application layer firewall?"


Diana Kelley: It is interesting because a lot of people decided it was a web

      application firewall.


Ed Moyle: That is true.


Diana Kelley: That was the only thing that would suffice. It is not written

      that way in the standard, and we do not know how it will be or if it

      will be updated before June. Something that is interesting is the

      application layer. I think it was February 5th, Cisco said, "We are

      not pulling the PIX anymore, now that it is already adopted the

      security appliance with the industry content and application



Check Point, also, another big, standard, traditional

      firewall vendor, having more application awareness in there. Do you

      need a web application firewall? Not necessarily, at this point. Look

      at what you are using for a firewall, talk to your QSA. You may

      actually already be meeting that requirement with what you are using.


Ed Moyle: A little bit of advice here. If you have something that may or may

      not be a gray area -- somebody could build a case or make an argument

      that the PIX, for example, is an application layer firewall -- it is

      certainly marketed that way. If you are going to do that, then my

      advice to you would be to document why it is that you think it

      fulfills the requirement so that your QSA can evaluate that when they

      come on site.


Diana Kelley: Your quick hits on this requirement are: make sure you have got

      change control procedures in place. Do those code reviews. There are

      tools that can help you with code reviews, data code analysis, for

      example, but you need to make sure that you have looked at that code

      before you deploy it. You can use the PADSS, an approved point of sale

      system. That means your vendor is working on making sure that they

      have done the application and system assessment. Again, it is limited

      scope, but you only need to assess the systems that you are developing and

      putting into place. Big 'gotcha' for your quick hit to remember: you

      cannot use actual data to test on. You need to have tester dummy data

      or scrub data, and keep your test and your production environment


More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: