Requirement 6.3.3: All system components are protected from known vulnerabilities
Defined Approach Requirements
6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
- Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
- All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity's assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1.
Customized Approach Objective
System components cannot be compromised via the exploitation of a known vulnerability.
Defined Approach Testing Procedures
6.3.3.a Examine policies and procedures to verify processes are defined for addressing vulnerabilities by installing applicable security patches/updates in accordance with all elements specified in this requirement.
6.3.3.b Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement.
Purpose
New exploits are constantly being discovered, and these can permit attacks against systems that have previously been considered secure. If the most recent security patches/updates are not implemented on critical systems as soon as possible, a malicious actor can use these exploits to attack or disable a system or gain access to sensitive data.
Good Practice
Prioritizing security patches/updates for critical infrastructure ensures that high-priority systems and devices are protected from vulnerabilities as soon as possible after a patch is released.
An entity's patching cadence should factor in any re-evaluation of vulnerabilities and subsequent changes in the criticality of a vulnerability per Requirement 6.3.1. For example, a vulnerability initially identified as low risk could become a higher risk later.
Additionally, vulnerabilities individually considered to be low or medium risk could collectively pose a high or critical risk if present on the same system, or if exploited on a low-risk system that could result in access to the CDE.
It is recommended that the entity complete a targeted risk analysis (TRA) according to PCI DSS Requirement 12.3.1 to document the frequency of installing all other applicable security patches/updates. This TRA would include consideration of the entity's assessment of the criticality of the risk to their environment as identified in the risk ranking process at Requirement 6.3.1.
Examples
An example time frame for installation of patches/updates could be 60 days for high-risk vulnerabilities and 90 days for others, as determined by the entity's assessment of risk.
purpose
Address vulnerabilities identified during code reviews before software is released to production.
compliance strategies
- Remediation tracking
- Retesting after fixes
typical policies
- Code Review Remediation Policy
common pitfalls
- Unresolved vulnerabilities
- No retesting
type
Process/Technical Control
difficulty
High
key risks
- Known vulnerabilities released to production
recommendations
- Require closure of all critical findings before go-live
Eligible SAQ
- SAQ-A
- SAQ-A-EP
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy