Page Comparison

PCI DSS requirement

Description

6.1

Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

6.2

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendorsupplied security patches. Install critical security patches within one month of release.

6.3

Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:

• In accordance with PCI DSS (for example, secure authentication and logging)

• Based on industry standards and/or best practices.

• Incorporating information security throughout the software-development life cycle

6.4.3

Production data (live PANs) are not used for testing or development

6.4.4

Removal of test data and accounts from system components before the system becomes active / goes into production

6.4.5.3

Functionality testing to verify that the change does not adversely impact the security of the system.

6.5

Address common coding vulnerabilities in software- development processes as follows:

• Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.

• Develop applications based on secure coding guidelines.

6.5.1

Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.

6.5.2

Buffer overflows

6.5.3

Insecure cryptographic storage

6.5.4

Insecure communications

6.5.5

Improper error handling

6.5.6

All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).

6.5.7

Cross-site scripting (XSS)

6.5.8

Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).

6.5.9

Cross-site request forgery (CSRF)

6.5.10

Broken authentication and session management.

6.6

For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes

• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.