Requirement 6: Develop and Maintain Secure Systems and Software

PCI DSS 4.0.1 clarifies three critical areas: 1) Reverts to v3.2.1 language requiring critical vulnerability patches within 30 days , 2) Expands payment page script controls to include all client-side scripts impacting payment flows , and 3) Strengthens change management requirements with explicit rollback procedures . The update emphasizes continuous vulnerability management rather than periodic scanning, requiring automated monitoring of Common Vulnerability Scoring System (CVSS) feeds and integration with SDLC processes .

Organizations must: 1) Implement CVSS-based prioritization with critical vulnerabilities (CVSS �?9.0) patched within 30 days , 2) High-risk vulnerabilities (CVSS 7.0-8.9) addressed within 90 days, and 3) Maintain evidence of risk acceptance for non-critical patches exceeding timelines. Cloud environments require automated patch deployment pipelines with rollback capabilities. PCI DSS 4.0.1 specifically mandates separate tracking for payment system patches using tools like Qualys Patch Management or Microsoft WSUS .

Implement: 1) Automated script allow-listing using tools like Akamai Page Integrity Manager, 2) Subresource Integrity (SRI) hashes for all third-party scripts, 3) Real-time monitoring of script behavior through browser DOM inspection, and 4) Quarterly script inventory reviews. PCI DSS 4.0.1 requires cryptographic verification of script integrity before execution and isolation of payment iframes using Content Security Policies (CSP) . All script changes must undergo SAST/DAST testing equivalent to main application code .

Organizations must: 1) Integrate SAST/DAST tools (Checkmarx, Veracode) into CI/CD pipelines, 2) Maintain separate environments for development/testing using infrastructure-as-code templates, 3) Implement code signing with HSM-protected keys for production deployments, and 4) Conduct threat modeling for all payment features. PCI DSS 4.0.1 mandates peer reviews for security-critical code and bi-annual secure coding training for developers . Evidence must include commit-level vulnerability tracking in tools like Jira or GitHub Advanced Security .

Maintain: 1) Change tickets with risk assessments and rollback plans , 2) Pre/post-change vulnerability scans using Tenable.io or Nessus, 3) Evidence of PCI DSS revalidation after significant changes, and 4) Signed approvals from CAB (Change Advisory Board). PCI DSS 4.0.1 requires cryptographic audit trails for production changes using tools like GitCrypt or HashiCorp Vault. Cloud deployments need infrastructure-as-code change logs in AWS CloudTrail or Azure Activity Log .

Our process includes: 1) Daily CVSS feed monitoring via Rapid7 InsightVM, 2) Automated patch testing in isolated AWS environments using Terraform, 3) Deployment through Ansible Tower with 48-hour SLA for critical patches. Evidence includes ServiceNow change tickets linked to CVE IDs, pre/post-patch Nessus scans, and rollback playbooks. Last quarter achieved 100% critical patch compliance across 2,500+ systems .

We enforce: 1) Content Security Policy (CSP) with strict 'script-src' directives, 2) Automated script hashing using SRIValidator in Jenkins pipelines, 3) Real-time monitoring through Signal Sciences WAF. Documentation includes cryptographically signed script manifests and quarterly penetration test reports validating script isolation. Our dashboard shows 0 unauthorized scripts in payment flows for 18 months .

We maintain: 1) GitHub Advanced Security integration flagging 150+ vulnerabilities/month, 2) SonarQube quality gates blocking merges with critical issues, 3) Peer review checklists in Jira with OWASP Top 10 coverage. Evidence package includes SAST reports from Checkmarx, DAST results from Burp Suite Enterprise, and training records showing 95% developer completion of secure coding courses .