| ๐ผ 6.1 Processes and mechanisms for developing and maintaining secure systems and software are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 6.1.1 All security policies and operational procedures identified in Requirement 6 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 6.1.2 Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. | | | | |
| ๐ผ 6.2 Bespoke and custom software are developed securely. | 4 | | | |
| ย ย ย ย ๐ผ 6.2.1 Bespoke and custom software are developed securely. | | | | |
| ย ย ย ย ๐ผ 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months. | | | | |
| ย ย ย ย ๐ผ 6.2.3 Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities. | 1 | | | |
| ย ย ย ย ย ย ย ย ๐ผ 6.2.3.1 If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices reviewed and approved by management prior to release. | | | | |
| ย ย ย ย ๐ผ 6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software. | | | | |
| ๐ผ 6.3 Security vulnerabilities are identified and addressed. | 3 | | | |
| ย ย ย ย ๐ผ 6.3.1 Security vulnerabilities are identified and managed. | | | | |
| ย ย ย ย ๐ผ 6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management. | | | | |
| ย ย ย ย ๐ผ 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates | | | 1 | |
| ๐ผ 6.4 Public-facing web applications are protected against attacks. | 3 | | | |
| ย ย ย ย ๐ผ 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks. | | | | |
| ย ย ย ย ๐ผ 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks. | | | | |
| ย ย ย ย ๐ผ 6.4.3 All payment page scripts that are loaded and executed in the consumer's browser are managed. | | | | |
| ๐ผ 6.5 Changes to all system components are managed securely. | 6 | | | |
| ย ย ย ย ๐ผ 6.5.1 Changes to all system components in the production environment are made according to established procedures. | | | | |
| ย ย ย ย ๐ผ 6.5.2 Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable. | | | | |
| ย ย ย ย ๐ผ 6.5.3 Pre-production environments are separated from production environments and the separation is enforced with access controls. | | | | |
| ย ย ย ย ๐ผ 6.5.4 Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed. | | | | |
| ย ย ย ย ๐ผ 6.5.5 Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements. | | | | |
| ย ย ย ย ๐ผ 6.5.6 Test data and test accounts are removed from system components before the system goes into production. | | | | |