+44 118 905 5000
Contact Us

Requirement 6: Develop and maintain secure systems and software

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • This requirement covers the security of applications and change management. It governs how systems and applications are developed and maintained, whether by the organizations or third parties.

  • Figure 16. Global state of PCI DSS compliance: Requirement 6

  • Full compliance: There was a very substantial 10.1 pp increase on Requirement 6, from a low 60.4% to 70.5%. Organizations applied more focus on patching and software vulnerability management. The improvement in full compliance may also be influenced by the increase in compensating controls.

    Control gap: The control gap narrowed considerably from 6.7% to a relatively low 3.2%. This is due in part to improvements in Control 6.2, where compliance against 6.2.b improved by 11.4 pp, and Control 6.2 improved by 9.0 pp.

    Compensating controls: The use of compensating controls increased from 11.0% to 15.0%. Requirement 6 is, for a second year in a row, the requirement that is most compensated, followed by Requirement 8. Control 6.2 was compensated by an average of 14.5% of organizations (+4.1 pp); there was a small increase in the compensating of Control 6.4.

  • Figure 17. Requirement 6 control performance

    • A tip on sustainable control effectiveness

      All system components within and connected to the CDE need to be properly hardened before placed into production—and then maintained. It’s important to sign up for vendor security notifications; most support an email alert service or RSS feed, and many offer tailored feeds based on specific solutions or technologies. Monitor these alerts on a daily basis. Organizations save administrators time by automating the deployment of patches.

      For example: Deploy a solution such as Microsoft Endpoint Configuration Manager in Microsoft environments.

  • Requirement 6: Develop and maintain secure systems and software

    The goal

    The goal of PCI DSS Key Requirement 6 is to achieve and sustain a mature process and capability for developing and maintaining secure software and systems for all relevant system components across the CDE, and to continuously improve processes and capabilities for the effective, reliable and sustainable protection of account data.

    This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.

    Goal applicability and scope considerations
    • Components: This goal applies to all applicable system components across the CDE, such as routers, firewalls, operating systems, application software, databases, point-ofsale (POS) terminals, internet browsers, etc., that need to be patched in a timely manner
    • Security tools: The management of web application firewalls (WAFs) and application security assessment tools
    • People: All software developers involved with developing software for CHD-related components, the teams and individuals conducting application assessments and patching, and system-hardening tasks for in-scope systems
    • Documentation: Software development procedures, secure coding life-cycle management methodologies, detailed application security assessment standards and procedures, and security patch management standards and procedures applicable to all relevant components within the CDE

    Goal requirements:

    Some of the primary conditions necessary to achieve the goal
    • Capability—patching: Maintain a mature capability to manage IT component vulnerabilities through regular, timely and consistent application of security patches, to all relevant components
    • Identification of software vulnerabilities: Develop the capability to effectively identify and process security vulnerabilities—including applicable vulnerabilities for bespoke, custom and vendor software—using industry-recognized sources for security vulnerability information; assign risk ranking to vulnerabilities to include identification of all high-risk and critical vulnerabilities
    • Competency: Effectively use WAFs in front of public-facing web applications, and use web application security assessments to monitor, detect and prevent web-based attacks
    • Competency—secure software development: Properly train software development personnel in secure development practices, software security and attacks to identify and resolve issues related to common coding vulnerabilities. This includes establishing the capacity, competency and organizational capability to manage the full scope of secure system and software activities
    • Documentation and processes: Maintain effective standard operating procedures with clearly articulated standards. Regularly train and educate staff on how to follow the documented procedures

    Strong dependencies and integration with other key requirements
    • Requirement 1: Integration with network security components, for network-based anti-malware protection
    • Requirement 11: Very strong dependency and integration with security vulnerability testing
    • Requirement 12: Integration and dependency with risk analysis and management practices
    • Requirement 2: Strong dependency and integration with secure configuration practices
    • Requirements 7 & 8: Secure authentication and access control to components that transmit CHD

    Short-term objectives
    • Scope: Develop and maintain the capability to accurately identify, report and monitor a dynamic inventory of in-scope hardware and software assets; create prioritized task lists for securing systems and software across the CDE
    • Capacity planning: Calculate the resources (people, budget, time) needed, and effectively communicate the assigned roles, responsibilities and workload to achieve the goal for Requirement 6
    • Inventory management: Proactive identification, planning, communication and execution of a treatment plan to effectively address all end-of-life technologies for all related components within the CDE
    • Communication: Complete the set of documentation, which is extensive for this key requirement. Standardize, document and communicate all related processes and procedures in support of this key requirement

    Long-term objectives
    • Constraints: Remove business and technical constraints that prevent timely patching of systems
    • Maturity: Achieve and maintain high-performance maturity for managing time-sensitive patch updates to ensure that all in-scope system components have as few vulnerabilities as possible. Improve and refine configurations, support processes, documentation and training

    Common constraints
    • Capacity: Not having sufficient resources (people, time and budget) to attend to scope of the tasks required to meet the goal and objectives of Requirement 6, such as keeping up with new vulnerability notifications
    • Capability: Technology constraints where equipment does not support required software updates
    • Cost: Lack of budget to upgrade systems and improve tools to support the objectives of this requirement
    • Competency: Lack of staff qualified to design and implement effective secure systems and software programs
    • Commitment: Conflicting priorities; not investing focused time and resources on Requirement 6 activities

  • Addressing the cause to avoid treating the symptoms


    How clarity on goals, requirements and constraints strengthens the control environment

    With proper planning, design and execution, PCI security compliance programs succeed quietly, protecting payment card data day after day. Then there are the programs that fail spectacularly, sometimes resulting in a publicly disclosed compromise. The success of the PCI DSS over its nearly 20-year history is punctuated by several high-profile payment card data breaches, and those massive program failures make sensational stories. Not surprisingly, all findings and data made available from various PCI Forensic Investigator (PFI) investigations confirm that none of the organizations that experienced confirmed payment card data breaches were compliant with the PCI DSS requirements at the time of the breach. Furthermore, no known, disclosed and documented cases exist of any payment card data breach where evidence supported that the breached entity had all required PCI DSS controls in place at the time of the breach. In all known cases, numerous key security requirements were not in place— usually with several being material to the breach. This is well documented in several of our previous PSR editions.

    That there are negative consequences of a data compromise is a cold, hard reality. In the aftermath, a company’s CISO, its security team and others find themselves in the hot seat, responding to tough questions from senior management and third-party forensic investigators—about the what, when, where, how and why of the data compromise.

    Publications like the Verizon Data Breach Investigations Report (DBIR) provide the opportunity to learn from others’ mistakes. It’s critical to document who is targeted by which threat actors, how the threat actors succeeded in breaching the organization, and what the consequences were. In addition to dissecting what went wrong, it’s important to review the available data to understand the lessons of exactly how and why data breaches happen, to avert—or at least mitigate—the impact of future breaches.

    Moving from symptoms to causes: Understanding the why

    It’s typical for data breach investigations to uncover several security controls that were not in place at the time of a breach. Breaches often involve a combination of contributing factors that expose human errors, including control design flaws, implementation errors, unpatched systems, etc. But why? Detective work is necessary to determine if the security environment and controls were designed improperly, maintained poorly or simply neglected—or any combination thereof. Did inadequate support processes allow security deficiencies to go unnoticed—or worse, noticed but uncorrected? For what seems to be just a few situations, countless additional “whys” crop up. Was the breached environment designed or implemented improperly because of poor staffing or lack of competence? Ineffective use of security tools is a common contributing factor; the tools may be in place, but the staff is not sufficiently trained to use the tools to effectively detect and respond to a security incident. Was a culture of indifference to compliance, quality and standards a factor?

    In broad terms, the first objective of incident response is not to determine how and why the breach occurred; rather it’s to contain the breach and stop the data leak (although, sadly, sometimes our Verizon Threat Research Advisory Center (VTRAC) investigators have the additional task of asset discovery before the collection and analysis effort can be initiated). This is followed by determining the scope and full extent of the breach. Once these activities are completed, the focus can then shift to understanding how and why the breach happened, which controls failed or were not in place to begin with, and to what extent the not-in-place controls led or contributed to the breach. The investigating team then begins the journey of scrutinizing the control environment, working their way back through multiple layers of controls and constraints that impacted the effectiveness of the in-place defenses.

    Peeling back the layers: Exposing cause-and-effect relationships

    This inevitably leads to uncovering the differences between perception and reality—laying bare poor organizational management practices, operational design, and execution and monitoring deficiencies. Each can contribute to a weakened control environment. Most issues are symptoms that result from poor planning or failing to include them in a strategic plan, starting with inadequate leadership and ending with commitment, communication and culture issues. Such concerns are a combination of Verizon’s Top 7 Strategic Data Security Management Traps (see page 12 of the 2020 PSR). The focus then shifts toward presenting a clear understanding of the remediation steps needed to enhance the security posture to prevent—or at least mitigate—a repeat of the same or similar incidents. The end of a data breach investigation concludes with the presentation of a final management report documenting findings and recommendations. A good report and presentation include an overview of the critical decisions that were made and not made, and the initial key factors that contributed to control failures down the line. The process may also include presenting the findings and recommendations to the board. The presentation should describe, where possible, what the exact or most likely issues were that resulted in the security incident turning into a data breach. Understandably, the board should be most interested in the way forward—the corrective actions required. They are also interested in the critical processes and capabilities needed to achieve a level of security and compliance maturity needed to deliver a proven (assured) level of effectiveness and sustainability. Enabling this understanding is a somewhat daunting and complex endeavor.

    With security breaches becoming increasingly common, experienced security professionals are simplifying the complexity of this communication. It requires distilling the presentation content down to root causes and main contributing factors, to clarify the goal of security and compliance that the organization actually pursued (expectations vs reality), and what contributed to conditions that resulted in a security compromise.

    PCI DSS controls that lack reliability and sustainable effectiveness are, in most cases, merely a symptom of an organizational lack of commitment to specify a level of assurance that includes those performance qualities (reliability, effectiveness and sustainability in design and operation). These are necessary requirements and objectives of security and compliance goals and should be incorporated as key elements in the security strategy.

    Be very explicit about what you are aiming for.

    Any actions within a security and compliance strategy should be framed, directed and influenced by the set of goals and objectives you define and communicate.

    This underscores the importance of why sustainable control effectiveness should be explicitly and clearly incorporated as a strategic objective and made part of the overall goal. Your goals and objectives and their necessary conditions create the framework for every decision, every action within your security and compliance posture. Spending time on goals, requirements and constraints is essential to create a supporting governance structure that can help ensure that decisions and actions undertaken by people within the organization don’t deviate from the strategy, goals and objectives that management determined to pursue. As is evident in the myriad of data breach investigation cases Verizon has conducted, failure to do so can set up a series of consequences that may result in unaddressed core conflicts, lack of focus, poor performance and eventually the nonachievement of goals.