The training of software developers elements (previously Requirement 6.5 in V3.2.1) have been updated and restructured under Requirement 6.2.2 in PCI DSS v4. These changes ensure that the standard continues to be current with emerging threats, technologies and changes in the payment industry.
All software development related content are now aligned under Requirement 6.2. Read more about this update in our post Securing the Code: Unpacking PCI DSS v4.0 Requirement 6.2.2 for Software Developers to ensure your team is up-to-date with the latest requirements. Don't wait, act now to maintain your PCI compliance and secure your software development process.
Organisations that accept payment cards must understand and comply with Payment Card Industry (PCI) Data Security Standards. These standards, developed by the PCI Security Standards Council, made up of American Express, Discover Financial Services, JCB International, MasterCard and Visa, are designed to ensure that cardholder data is processed, stored, and transmitted securely and protected from misuse and fraud.
PCI DSS version 4.0, includes 12 requirements for PCI compliance that mirror security best practices – falling under goals for these requirements. Among the requirements the standard lists Develop and maintain secure systems and applications.
Build and Maintain a Secure Network and Systems
1 Install and maintain network security controls
2 Apply secure configurations to all system components
Protect Account Data
3 Protect stored account data
4 Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program
5 Protect all systems and networks from malicious software
6 Develop and maintain secure systems and software
Implement Strong Access Control Measures
7 Restrict access to system components and cardholder data by business need to know
8 Identify users and authenticate access to system components
9 Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10 Log and monitor all access to system components and cardholder data
11 Test security of systems and networks regularly
Maintain an Information Security Policy
12 Support information security with organizational policies and programs
Organisations in Level 1 require an external audit performed by a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). Levels 2, 3 and 4 complete a self-assessment questionnaire (SAQ) instead of an external audit. The relevant level for an organisation is based on the volume of credit card transactions processed annually.
Just as any business that accepts card payments must ensure that cardholder data is managed securely, an organisation that develops applications that handle card data must secure their software against vulnerabilities. The application layer is high-risk and is a target for internal and external threats. PCI compliance is a key consideration when developing applications that involve payment card transactions. PCI DSS requirements 6.1 to 6.5 are designed to Develop and Maintain Secure Systems and Software.
To achieve compliance with PCI DSS requirement 6.5, developers need to be able to identify vulnerabilities in the code and understand how a hacker may try to take advantage of a weakness and what the impact can be.
Specific knowledge and skills and following appropriate best practices can help developers to code defensively and meet the secure coding and application security standards required by PCI DSS.
Contact us and talk directly to one of our instructors about the role of secure software development in PCI DSS compliance and the training course or courses to best suit your needs. Learn more about how our Secure Coding for PCI DSS course helps provide developers with the specific knowledge and skills to apply the secure coding and application security standards needed for PCI DSS–relevant applications that process card payments and/or cardholder data.