What is PCI DSS Requirement 6.1?

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023
What is PCI DSS Requirement 6.1?
PCI DSS guide01 16x9 crop

There are 12 PCI DSS Requirements that need to be met to attain PCI compliance. One of those, Requirement 6, ensures that an entity has its software protected by up-to-date "vendor-provided security patches".

Requirement 6 has several dot points. The first - 6.1 - is officially described as:

"Establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. high, medium, or low) to newly discovered security vulnerabilities."

Unlike external and internal scans, which uncover vulnerabilities and are included in other PCI DSS Requirements, 6.1 requires an entity to actually patch these vulnerabilities, continuously. What's more, 6.1 doesn't need to be performed by an Approved Scanning Vendor (ASV), as is the case for external scans (Requirement 11.2.2), or part of other services that may be offered by a Qualified Security Assessor (QSA).

Patching vulnerabilities can be done manually via numerous sources, including software manufacturers, mailing lists and RSS feeds, or by using a service that specialises in doing this.

'Manually' may sound like a good way to save money but there are downsides. It can be time-consuming and lead to missed patches. For instance, manufacturers may release patches (CVEs) but leave it up to its users to search out the info themselves. If an entity uses dozens, or hundreds of software, missing one CVE can prove costly.

SecAlerts is a service that does the 'CVE searching' legwork for you. Clients choose their software from more than 32,000 on the SecAlerts website and receive one email alert (hourly, daily, weekly, bi-weekly, monthly) with all the CVEs - ranked in severity - for their software.

"Keeping your software up-to-date and secure is not only an integral part PCI compliance and Requirement 6.1," said SecAlerts co-founder, Louis Stowasser, "it's vital for a business' overall cybersecurity."

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203