Skip to main content

How to comply with PCI DSS 6.3

If you process, transmit or store credit card data in your software then you’re likely subject to the Payment Card Industry Data Security Standard (PCI DSS). One of the most onerous sections of the PCI DSS is requirement 6: Develop and maintain secure systems and applications. In particular, PCI DSS 6.3 requires organizations to “…Incorporate information security throughout the software development life cycle [SDLC] … ”. One specific testing procedure for auditors is “Examine written software development processes to verify that information security is included throughout the life cycle.” If you have a lax auditor, simply writing that you embed security into the SDLC in documentation without actually practicing it may be sufficient — and in our experience, this often happens in practice. More rigorous auditors, however, may dig deeper and demand proof that you are incorporating information security throughout the SDLC for PCI DSS 6.3. In our experience, organizations generally fall back on the following kinds of evidence

  • Show security scanning and/or testing results
  • Show proof that developers have undergone security training

Clearly, however, this does not cover the spectrum of the entire SDLC. You can provide real proof of a secure SDLC by doing the following:

  1. Provide a documented set of application-specific security requirements inside of a requirements specification Word document/PDF, Application Lifecycle Management tool, or Secure Application Lifecycle Management tool
  2. Provide the results of a code auditing process
  3. Provide evidence that the requirements were tested for, either using the same tools from step 1 or output from a testing solution such as HP Quality Center which define the scripts / steps testers followed and the results of the tests

Following these steps is smart spending on PCI Compliance, because not only will you be complying with PCI DSS 6.3 — you will also be lowering the cost of protecting your systems with software security requirements.