6.2 Bespoke and custom software are developed securely.

This requirement focuses on ensuring that custom software is developed securely using industry standards and best practices. It covers secure development practices, developer training, code review processes, and software engineering techniques to prevent security vulnerabilities.

Sub-requirements:

6.2.1 Bespoke and custom software are developed securely
6.2.3.1 If manual code reviews are performed for bespoke and custom software prior to release to production
6.2.2 Software development personnel working on bespoke and custom software are trained
6.2.3 Bespoke and custom software is reviewed prior to being released into production
6.2.4 Software engineering techniques or other methods are defined and in use by software development personnel

6.2. System components and software are protected from known vulnerabilities.

Ensure all system components and software are inventoried, supported, patched, and protected against vulnerabilities.

https://WithPCI.com

Sub-requirements

Test Points

Moderate-High (3.8)

Implementation Difficulty

Control Types

Process

Technical

Process: 3

Technical: 4

Key Risks

Unpatched vulnerabilities

Unsupported software in use

Delayed vulnerability remediation

Frequently Asked Questions

What is required for vulnerability management?

All software and system components must be inventoried, supported, and kept up to date with security patches.

How quickly must critical patches be applied?

Within one month of release, or sooner if risk dictates.

How are custom and bespoke software vulnerabilities managed?

By performing code reviews, vulnerability assessments, and timely remediation.

What happens if a system is no longer supported by the vendor?

It must be upgraded, replaced, or protected by compensating controls.

How often should vulnerability management processes be reviewed?

At least annually or after significant changes to the environment.

Common QSA Questions

Can you show your software inventory and patch management records?

Yes, we maintain an up-to-date inventory and records of all applied patches and updates.

How do you handle vulnerabilities in custom software?

We use code scanning tools and manual reviews to identify and remediate vulnerabilities.

What is your process for tracking and applying vendor updates?

We subscribe to vendor notifications and have automated processes for patch deployment.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.