In this article we look at the PCI DSS requirement for secure software development and why it is important, not just to achieve compliance, but to help prevent breaches and protect payment card information and other sensitive customer information.   

NOTE – PCI DSS update from V3.2.1 to V4.0: Changes in version V4.0 relating to Training for Software Development Personnel

The training of software developers elements (previously Requirement 6.5 in V3.2.1) have been updated and restructured under Requirement 6.2.2 in PCI DSS v4. These changes ensure that the standard continues to be current with emerging threats, technologies and changes in the payment industry.

All software development related content are now aligned under Requirement 6.2. Read more about this update in our post  Securing the Code: Unpacking PCI DSS v4.0 Requirement 6.2.2 for Software Developers to ensure your team is up-to-date with the latest requirements. Don’t wait, act now to maintain your PCI compliance and secure your software development process. 

Organisations that accept payment cards must understand and comply with Payment Card Industry (PCI) Data Security Standards. These standards, developed by the PCI Security Standards Council, made up of American Express, Discover Financial Services, JCB International, MasterCard and Visa, are designed to ensure that cardholder data is processed, stored, and transmitted securely and protected from misuse and fraud.

Read more about the role PCI DSS Compliance plays in securing payment card information and what is required to be compliant with the standard.

What Are the PCI Compliance Requirements for Secure Software Development?

PCI DSS version 4.0, includes 12 requirements for PCI compliance that mirror security best practices – falling under goals for these requirements. Among the requirements the standard lists Develop and maintain secure systems and applications.

Build and Maintain a Secure Network and Systems

1 Install and maintain network security controls
2 Apply secure configurations to all system components

Protect Account Data

3 Protect stored account data
4 Protect cardholder data with strong cryptography during transmission over open, public networks

Maintain a Vulnerability Management Program

5 Protect all systems and networks from malicious software
6 Develop and maintain secure systems and software

Implement Strong Access Control Measures

7 Restrict access to system components and cardholder data by business need to know
8 Identify users and authenticate access to system components
9 Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10 Log and monitor all access to system components and cardholder data
11 Test security of systems and networks regularly

Maintain an Information Security Policy

12 Support information security with organizational policies and programs

Organisations in Level 1 require an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). Levels 2, 3 and 4 complete a self-assessment questionnaire (SAQ) instead of an external audit. The relevant level for an organisation is based on the volume of credit card transactions processed annually.

What does PCI DSS mean for Software Development?

Just as any business that accepts card payments must ensure that cardholder data is managed securely, an organisation that develops applications that handle card data must secure their software against vulnerabilities. The application layer is high-risk and is a target for internal and external threats. PCI compliance is a key consideration when developing applications that involve payment card transactions. PCI DSS requirements 6.1 to 6.5 are designed to Develop and Maintain Secure Systems and Software. 

• PCI DSS 6.1 – Processes and mechanisms for developing and maintaining secure systems and software are defined and understood
• PCI DSS 6.2 – Bespoke and custom software are developed securely
• PCI DSS 6.3 – Security vulnerabilities are identified and addressed
• PCI DSS 6.4 – Public-facing web applications are protected against attacks
• PCI DSS 6.5 – Changes to all system components are managed securely

How to Develop Secure Software Applications Under PCI DSS?

To achieve compliance with PCI DSS requirement 6.5, developers need to be able to identify vulnerabilities in the code and understand how a hacker may try to take advantage of a weakness and what the impact can be. 

Specific knowledge and skills and following appropriate best practices can help developers to code defensively and meet the secure coding and application security standards required by PCI DSS.

1. Identify and mitigate common threats and vulnerabilities in the code (using the OWASP Top 10).
2. Incorporate information security across the development process: requirement gathering, design, development, and testing.  
3. Regular training to continuously acquire the knowledge and skills software developers need to improve the security of applications following a secure development lifecycle (SDL) process.

Contact us and talk directly to one of our instructors about the role of secure software development in PCI DSS compliance and the training course or courses to best suit your needs. Learn more about how our Secure Coding for PCI DSS course helps provide developers with the specific knowledge and skills to apply the secure coding and application security standards needed for PCI DSS–relevant applications that process card payments and/or cardholder data.