PCI DSS – Requirement 6 – Develop and Maintain Secure Systems and Applications•

PCI DSS – Requirement 6 – Develop and Maintain Secure Systems and Applications

See it in action
By Max Edwards | Updated 8 February 2024

PCI DSS Requirement 6 mandates the development and maintenance of secure systems and applications by implementing robust security protocols and conducting regular vulnerability assessments and updates. This requirement is critical for mitigating risks associated with software vulnerabilities and ensuring the protection of cardholder data.

Jump to topic

What Is PCI DSS, Requirement 6?

When you’re tasked with safeguarding cardholder data, understanding the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6 is paramount. This requirement is the bedrock of developing and maintaining secure systems and software within the payment card industry.

The Foundational Elements of PCI DSS Requirement 6

Requirement 6 is designed to protect systems and applications involved in payment card processing from breaches and fraud. It mandates the implementation of robust security measures that are critical for the integrity of cardholder data.

Requirement 6 in the Context of PCI DSS Compliance

As part of the broader PCI DSS framework, Requirement 6 works in concert with other requirements to create a comprehensive security strategy. It’s not an isolated directive but an integral component of a holistic approach to data protection.

The Critical Role of Requirement 6

The security of cardholder data hinges on the secure development and maintenance of systems and software. Requirement 6 is critical because it directly addresses these aspects, ensuring that security is not an afterthought but a fundamental consideration throughout the system lifecycle.

Impact on Development and Maintenance

Requirement 6 influences the development and maintenance of secure systems and software by setting out specific sub-requirements. These include secure coding practices, vulnerability management, and the implementation of robust change control procedures. By adhering to these standards, you ensure that security permeates every facet of your payment processing systems.

At ISMS.online, we understand the complexities of PCI DSS compliance. Our platform is designed to help you navigate these requirements with clarity and confidence, ensuring that your systems and software are not only compliant but also resilient against threats.

Book a demo

Unpacking the Sub-Requirements of Requirement 6

When you’re navigating the complexities of PCI DSS Requirement 6, understanding the sub-requirements is crucial for safeguarding your systems and software. These sub-requirements form a comprehensive framework designed to protect cardholder data through meticulous security practices.

Specific Sub-Requirements Under PCI DSS Requirement 6

Requirement 6 is multifaceted, encompassing several key areas:

  • Risk Ranking (6.1): Prioritising vulnerabilities based on their potential impact.
  • Patch Management (6.2): Ensuring timely application of security patches.
  • Secure Development (6.3): Integrating security into the software development lifecycle.
  • Change Control (6.4): Managing changes to systems and applications securely.
  • Coding Vulnerabilities (6.5): Addressing common coding vulnerabilities.
  • Threat Management (6.6): Implementing measures to identify and mitigate threats.
  • Documentation (6.7): Maintaining comprehensive records of security policies and procedures.

Collective Enhancement of System and Software Security

Together, these sub-requirements create a robust defence against security breaches. By addressing each area, you’re not just checking off a compliance list; you’re building a resilient infrastructure that can adapt to evolving threats.

Risk Ranking and Patch Management Processes

Risk ranking involves evaluating vulnerabilities to determine which pose the greatest threat and should be addressed first. Patch management is the process of keeping software updated with the latest security patches to mitigate identified risks.

Contribution of Secure Development and Change Control to Compliance

Secure development practices ensure security is considered at every stage of creating software, while change control procedures help maintain the integrity of systems by managing modifications in a structured manner. Both are vital for maintaining a secure environment and achieving PCI DSS compliance.

By adhering to these sub-requirements, you’re taking proactive steps to protect your customers’ data and your organisation’s reputation. At ISMS.online, we provide the tools and guidance to help you meet these critical security standards.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

The Secure Software Development Life Cycle (SDLC) Explained

In terms of payment security, the Secure Software Development Life Cycle (SDLC) is a cornerstone of PCI DSS Requirement 6. It’s a framework that embeds security at every phase of software development, ensuring that applications are resilient against threats from inception to deployment.

Integrating Security into Each SDLC Phase

To integrate security into the SDLC, organisations must:

  • Initiate: Define security requirements alongside functional requirements.
  • Design: Architect systems with security as a foundational element.
  • Develop: Write code with security best practices, such as input validation and error handling.
  • Test: Perform rigorous security testing, including static and dynamic analysis.
  • Deploy: Ensure secure deployment practices and configuration management.
  • Maintain: Continuously monitor and update the software to address new vulnerabilities.

Key Components of a Secure SDLC

A Secure SDLC that aligns with PCI DSS standards includes:

  • Threat Modelling: Identifying potential threats to appropriately prioritise security efforts.
  • Code Reviews: Ensuring code is examined for security vulnerabilities.
  • Automated Testing: Utilising tools to detect security issues early in the development process.

Facilitating Secure Application Development

A Secure SDLC is instrumental in developing secure applications. By incorporating security measures from the start, you reduce the risk of costly fixes later on.


Patch Management for Compliance

Patch management is a critical component of PCI DSS Requirement 6, serving as a frontline defence against security vulnerabilities. It is essential for maintaining the integrity and security of cardholder data within your systems.

The Importance of Patch Management

Patch management is not just about applying updates; it’s about ensuring the ongoing security and compliance of your payment systems. By promptly addressing vulnerabilities, you’re protecting against potential breaches that could compromise sensitive data.

Effective Patch Management Strategies

To effectively manage software patches, organisations should:

  • Assess: Regularly review and assess available patches for their relevance and urgency.
  • Prioritise: Determine which patches are critical based on the potential impact on security.
  • Test: Before full deployment, test patches in a controlled environment to ensure compatibility.
  • Deploy: Roll out patches systematically, starting with the most critical systems.
  • Document: Keep detailed records of patch management activities for compliance verification.

Challenges in Maintaining Up-to-Date Systems

Staying current with patches can be challenging due to the sheer volume of updates and the complexity of modern IT environments. However, neglecting this aspect can leave your systems vulnerable to attack.

Intersection with Other PCI DSS Requirements

Patch management is interconnected with other PCI DSS requirements, such as risk assessment and incident response. Effective patch management not only supports Requirement 6 but also reinforces your overall security posture.

At ISMS.online, we provide the tools and expertise to help you streamline your patch management processes, ensuring that you’re always one step ahead in protecting your cardholder data environment.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Secure Coding and the Prevention of Vulnerabilities

Secure coding is a fundamental aspect of PCI DSS Requirement 6, aimed at preemptively eliminating security risks within software development. By adhering to mandated secure coding practices, organisations can significantly reduce the incidence of common vulnerabilities.

Mandated Secure Coding Practices

PCI DSS Requirement 6 emphasises the importance of:

  • Input Validation: Ensuring only properly formatted data is allowed.
  • Output Encoding: Preventing unwanted data from being sent to users.
  • Authentication and Password Management: Safeguarding user credentials.
  • Session Management: Protecting the integrity of user sessions.
  • Access Control: Restricting user privileges to the minimum necessary.

Preventing Common Security Vulnerabilities

These practices are designed to thwart prevalent security issues such as SQL injection, cross-site scripting (XSS), and other exploits that can compromise cardholder data. By implementing secure coding standards, you’re building a resilient foundation against cyber threats.

Role of Coding Standards

Standards like the OWASP Top Ten serve as a benchmark for secure coding, providing a prioritised list of the most critical security risks to web applications. Adherence to these standards is essential for maintaining robust security.

Ensuring Ongoing Adherence

To ensure ongoing adherence to secure coding practices, organisations should:

  • Educate: Provide regular training for developers on the latest security practices.
  • Review: Conduct code reviews to enforce compliance with secure coding standards.
  • Test: Implement automated tools to scan for vulnerabilities in code.

At ISMS.online, we support your commitment to secure coding by offering resources and tools that align with industry best practices, helping you maintain the security and compliance of your software development processes.


Change Management and PCI DSS

Change management is a pivotal element in maintaining the security of cardholder data, as mandated by PCI DSS Requirement 6. It ensures that all changes to system components are managed in a methodical and secure manner.

Steps in a Secure Change Management Process

A secure change management process typically involves:

  1. Identification: Documenting the proposed change and its purpose.
  2. Approval: Obtaining authorization from the appropriate authority before proceeding.
  3. Testing: Evaluating the change in a controlled environment to ensure it does not introduce new vulnerabilities.
  4. Implementation: Carefully deploying the change into the live environment.
  5. Review: Post-implementation review to confirm the change has not affected the security of the system.

Ensuring Security with Each Change

To prevent new vulnerabilities, you should:

  • Conduct a risk assessment for each change.
  • Ensure changes are made in accordance with secure coding guidelines.
  • Monitor the effects of the change on the system’s overall security posture.

Documentation for Secure Change Management

Proper documentation is essential and should include:

  • Change requests and approvals.
  • Risk assessments associated with the changes.
  • Testing results and implementation details.
  • Post-implementation reviews and any necessary remediation actions.

At ISMS.online, we provide a platform that supports your change management processes, helping you to document, track, and verify changes to ensure continuous compliance with PCI DSS Requirement 6.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Application Security Testing

Ensuring the security of applications is a critical aspect of PCI DSS Requirement 6. Application security testing is a key component in identifying and mitigating potential vulnerabilities.

Types of Application Security Testing

PCI DSS Requirement 6 mandates two primary types of security testing:

  • Static Application Security Testing (SAST): This is an examination of the application’s source code to detect security flaws without running the programme. It’s akin to a code review and is performed early in the development lifecycle.
  • Dynamic Application Security Testing (DAST): DAST analyses running applications to identify vulnerabilities that an attacker could exploit, simulating real-world attacks.

The Distinction Between SAST and DAST

SAST and DAST serve complementary roles in application security:

  • SAST is used to identify issues during the coding phase, allowing for early remediation.
  • DAST is applied to operational applications, providing insights into runtime security issues.

Regular Application Security Testing for Compliance

Regular testing is not optional; it’s a necessity for compliance and security. It helps in:

  • Catching vulnerabilities before they can be exploited.
  • Ensuring that security measures are effective and up to date.

Integrating Testing into the SDLC

Application security testing should be woven into the SDLC to create a continuous feedback loop. By integrating SAST and DAST at different stages, you can ensure that security is not an afterthought but a fundamental part of the development process.

At ISMS.online, we understand the importance of application security testing and offer resources to help you integrate these practices into your SDLC, ensuring compliance with PCI DSS Requirement 6.


Further Reading

Documentation and PCI DSS Compliance

Documentation is the backbone of PCI DSS Requirement 6 compliance, serving as both a record of adherence and a guide for maintaining security standards. It is through thorough documentation that organisations can demonstrate their commitment to protecting cardholder data.

Essential Documentation for PCI DSS Requirement 6

Organisations should maintain a variety of documents, including:

  • Security Policies: Outlining the organisation’s approach to securing cardholder data.
  • Procedures: Detailing the steps for implementing security measures.
  • Incident Response Plan: Providing a roadmap for addressing security breaches.
  • Change Management Records: Documenting all changes to system components.
  • Audit Trails: Recording user activities, exceptions, and information security events.

Supporting the Audit Process

During an audit, documentation is scrutinised to verify compliance with PCI DSS standards. It provides evidence of:

  • Risk Assessments: Showing how risks are identified and managed.
  • Patch Management: Demonstrating that vulnerabilities are promptly and effectively addressed.
  • Security Testing: Confirming that systems and applications are regularly tested for weaknesses.

Role in Incident Response and Breach Management

In the event of a security incident, documentation plays a critical role in:

  • Identifying the Scope: Understanding the extent of a breach.
  • Facilitating Recovery: Guiding the steps to contain and remediate issues.
  • Post-Incident Analysis: Helping to identify the root cause and prevent future occurrences.

At ISMS.online, we provide a platform that simplifies the creation, management, and retrieval of these vital documents, ensuring that you’re always prepared for audits and equipped to handle any security incidents.


Educating Developers on Security and Compliance

Ensuring that developers are well-versed in security and compliance is a cornerstone of meeting PCI DSS Requirement 6. At ISMS.online, we recognise the critical role that developer education plays in safeguarding cardholder data.

The Necessity of Developer Security Training

Developer training is not just a compliance checkbox; it’s an investment in your organisation’s security posture. By equipping your development team with the knowledge of secure coding practices, you’re proactively mitigating the risk of data breaches and ensuring compliance with PCI DSS standards.

Core Topics for Developer Training Programmes

A comprehensive developer security training programme should cover:

  • Secure Coding Standards: Such as those outlined by OWASP and SANS.
  • Threat Modelling: To anticipate and defend against potential attacks.
  • Security Testing: Including SAST and DAST methodologies.
  • Incident Response: Preparing developers to react swiftly and effectively to security incidents.

Benefits of Training Developers in Security Practices

When developers are trained in security, they become your first line of defence against cyber threats. This training leads to:

  • Reduced Vulnerabilities: Through the development of more secure code.
  • Enhanced Compliance: By ensuring that security is a consistent element of the development process.

Ensuring Continuous Learning

To keep developers abreast of evolving security standards, consider:

  • Regular Training Updates: To cover new threats and security practices.
  • Participation in Security Forums: Encouraging engagement with the wider security community.
  • Incorporation of Learning into Daily Workflows: Making security an integral part of the development culture.

Through our platform, ISMS.online, we support your efforts to maintain a well-informed development team, providing resources and tools that facilitate ongoing education in security and compliance.


Addressing the Security of Public-Facing Web Applications

Public-facing web applications are often the front door to your organisation’s services and data, making their security paramount. PCI DSS Requirement 6 addresses this by setting forth specific measures to protect these applications from threats.

Required Security Measures for Web Applications

For public-facing web applications, you must implement:

  • Data Input Validation: To prevent SQL injection and XSS attacks.
  • Authentication Controls: To ensure only authorised users gain access.
  • Encryption: To safeguard data in transit against interception.
  • Regular Vulnerability Scanning: To detect and address security weaknesses promptly.

The Role of Web Application Firewalls (WAF)

WAFs are a critical line of defence, filtering and monitoring HTTP traffic between a web application and the Internet. They help in:

  • Blocking malicious requests.
  • Protecting against web-based attacks.
  • Complying with PCI DSS by shielding web applications from known vulnerabilities.

Common Threats to Web Applications

Web applications face numerous threats, including:

  • DDoS Attacks: Overwhelming servers to disrupt service.
  • Code Injection: Exploiting security vulnerabilities to execute malicious code.
  • Data Breaches: Unauthorised access leading to data theft.

Balancing Functionality and Security

To balance functionality with security, consider:

  • Implementing security features that do not impede user experience.
  • Regularly updating applications to introduce new features while addressing security issues.


PCI DSS Requirement 6 and ISO 27001:2022 Mapping

Navigating the intricacies of PCI DSS Requirement 6 becomes more manageable when you understand its alignment with ISO 27001:2022 standards. At ISMS.online, we provide the expertise to help you map these controls effectively.

Aligning Secure Development Life Cycles

PCI DSS Requirement 6.1 and ISO 27001 Control A.8.25 both emphasise the importance of a secure development life cycle. This ensures that security is integrated into every stage of your software development process.

  • Organisational Roles and Responsibilities: ISO 27001’s control 5.3 complements this by clarifying the roles, responsibilities, and authorities within your organisation, ensuring everyone understands their part in maintaining security.

Developing Bespoke and Custom Software Securely

For Requirement 6.2, the secure development of custom software is paramount. ISO 27001 controls A.8.25 and A.8.28 provide a framework for secure coding practices, while A.5.20 addresses security within supplier agreements, ensuring that all parties involved in software development adhere to high security standards.

Identifying and Addressing Security Vulnerabilities

Requirement 6.3‘s focus on vulnerability management is mirrored by ISO 27001’s 8.8, which mandates the management of technical vulnerabilities. Together, they form a proactive approach to identifying and mitigating risks.

Protecting Public-Facing Web Applications

Requirement 6.4 aligns with ISO 27001’s 8.21, underscoring the need to secure network services against attacks, particularly for public-facing web applications.

Secure Change Management

Lastly, Requirement 6.5 on change management is supported by ISO 27001’s A.8.32. This ensures that all changes to system components are managed in a secure and controlled manner.

By mapping PCI DSS requirements to ISO 27001 controls, you can create a cohesive and robust security strategy. Our platform at ISMS.online simplifies this process, providing you with the tools to achieve and demonstrate compliance effectively.



ISMS.online and PCI DSS Compliance

Navigating PCI DSS compliance can be complex, but with ISMS.online, we simplify the journey for you. Our Integrated Management System (IMS) is designed to streamline the compliance process, making it more manageable and less time-consuming.

Simplifying Compliance with an IMS

An IMS integrates all compliance processes into a single, cohesive framework. This holistic approach reduces duplication of effort and ensures that all aspects of PCI DSS Requirement 6 are addressed consistently.

Tools and Features for Compliance Management

ISMS.online provides a suite of tools to manage compliance documentation and risk, including:

  • Document Control: Securely manage and store all your compliance documents in one place.
  • Risk Management Tools: Identify, assess, and mitigate risks with our dynamic risk management tools.
  • Task Management: Assign and track compliance-related tasks to ensure nothing falls through the cracks.

Continuous Improvement and Compliance Monitoring

We believe in the power of continuous improvement. ISMS.online supports this with features that allow for:

  • Regular Reviews: Schedule and conduct regular reviews of your security posture.

Developing and Maintaining Secure Systems

Our platform assists in developing and maintaining secure systems by providing:

  • Best Practice Templates: Use our pre-configured templates to align with PCI DSS requirements.
  • Guidance and Support: Access expert advice to navigate the complexities of PCI DSS Requirement 6.

Benefits of Using ISMS.online

To see all our benefits:

  1. Contact Our Team: Reach out to discuss your specific compliance needs.
  2. Onboarding: We'll guide you through the onboarding process, tailoring our platform to your organisation.
  3. Ongoing Support: Benefit from our continuous support as you work towards and maintain compliance.

At ISMS.online, we're committed to helping you protect cardholder data by simplifying the path to PCI DSS compliance. Contact us to learn how we can support your compliance journey.

Book a demo


PCI DSS Requirements Table

PCI DSS Requirement NumberPCI DSS Requirement Name
PCI DSS Requirement 1Install and Maintain a Firewall Configuration to Protect Cardholder Data
PCI DSS Requirement 2Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
PCI DSS Requirement 3Protect Stored Cardholder Data
PCI DSS Requirement 4Encrypt Transmission of Cardholder Data Across Open, Public Networks
PCI DSS Requirement 5Protect All Systems Against Malware and Regularly Update Antivirus Software or Programs
PCI DSS Requirement 6Develop and Maintain Secure Systems and Applications
PCI DSS Requirement 7Restrict Access to Cardholder Data by Business Need to Know
PCI DSS Requirement 8Identify and Authenticate Access to System Components
PCI DSS Requirement 9Restrict Physical Access to Cardholder Data
PCI DSS Requirement 10Track and Monitor All Access to Network Resources and Cardholder Data
PCI DSS Requirement 11Regularly Test Security Systems and Processes
PCI DSS Requirement 12Maintain a Policy That Addresses Information Security for All Personnel

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Streamline your workflow with our new Jira integration! Learn more here.