How to comply with PCI DSS 6.3

Saturday, March 09, 2013

Rohit Sethi

219bfe49c4e7e1a3760f307bfecb9954

If you process, transmit or store credit card data in your software then you’re likely subject to the Payment Card Industry Data Security Standard (PCI DSS). One of the most onerous sections of the PCI DSS is requirement 6: Develop and maintain secure systems and applications. 

In particular, PCI DSS 6.3 requires organizations to  “…Incorporate information security throughout the software development life cycle [SDLC] … ”. One specific testing procedure for auditors is “Examine written software development processes to verify  that information security is included throughout the life cycle.” 

If you have a lax auditor, simply writing that you embed security into the SDLC in documentation without actually practicing it may be sufficient – and in our experience, this often happens in practice.  More rigorous auditors, however, may dig deeper and demand proof  that you are incorporating information security throughout the SDLC for PCI DSS 6.3. In our experience, organizations generally fall back on the following kinds of evidence

  • Show security scanning and/or testing results
  • Show proof that developers have undergone security training

Clearly, however, this does not cover the spectrum of the entire SDLC. You can provide real proof of a secure SDLC by doing the following:

  • Provide a documented set of application-specific security requirements inside of a requirements specification Word document/PDF, Application Lifecycle Management tool, or Secure Application Lifecycle Management tool
  • Provide  the results of a code auditing process
  • Provide evidence that the requirements were tested for, either using the same tools from step 1 or output from a testing solution such as HP Quality Center which define the scripts / steps testers followed and the results of the tests

Following these steps is smart spending on PCI Compliance, because not only will you be complying with PCI DSS 6.3 – you will also be lowering the cost of protecting your systems with software security requirements.

Cross-posted from the SD Elements blog.

Possibly Related Articles:
13802
PCI DSS
PCI DSS Compliance SDLC PCI 6.3
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.