WithPCI Logo
WithPCI.com

Requirement 6.5.2: Upon completion of a significant change, all applicable PCI DSS requirements are confirmed

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

6.5.2 Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable.

Customized Approach Objective

All system components are verified after a significant change to be compliant with the applicable PCI DSS requirements.

Applicability Notes

These significant changes should also be captured and reflected in the entity's annual PCI DSS scope confirmation activity per Requirement 12.5.2.

Defined Approach Testing Procedures

6.5.2 Examine documentation for significant changes, interview personnel, and observe the affected systems/networks to verify that the entity confirmed applicable PCI DSS requirements were in place on all new or changed systems and networks and that documentation was updated as applicable.

Purpose

Having processes to analyze significant changes helps ensure that all appropriate PCI DSS controls are applied to any systems or networks added or changed within the in-scope environment, and that PCI DSS requirements continue to be met to secure the environment.

Good Practice

Building this validation into change management processes helps ensure that device inventories and configuration standards are kept up to date and security controls are applied where needed.

Examples

Applicable PCI DSS requirements that could be impacted include, but are not limited to:

  • Network and data-flow diagrams are updated to reflect changes.
  • Systems are configured per configuration standards, with all default passwords changed and unnecessary services disabled.
  • Systems are protected with required controls—for example, file integrity monitoring (FIM), anti-malware, patches, and audit logging.
  • Sensitive authentication data is not stored, and all account data storage is documented and incorporated into data retention policy and procedures.
  • New systems are included in the quarterly vulnerability scanning process.
  • Systems are scanned for internal and external vulnerabilities after significant changes per Requirements 11.3.1.3 and 11.3.2.1.

purpose

Test changes for impact prior to deployment.

compliance strategies

  • Change impact analysis
  • Pre-production testing

typical policies

  • Change Testing Policy

common pitfalls

  • No impact assessment
  • No pre-deployment testing

type

Process/Technical Control

difficulty

Moderate

key risks

  • Production outages, new vulnerabilities

recommendations

  • Require testing sign-off before deployment

Eligible SAQ

  • SAQ-A-EP
  • SAQ-C
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy