What is PCI DSS Requirement 6?

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023
What is PCI DSS Requirement 6?
PCI DSS guide01 16x9 crop

The official explanation of PCI DSS Requirement 6 is summed up as "Develop and maintain secure systems and applications". In other words, an entity attaining PCI compliance needs to have its software protected by up-to-date "vendor-provided security patches".

The PCI DSS states that an entity's critical systems need to patched immediately, using the most recently released patches, while less-critical systems should be patched as soon as possible. However, it's best to treat all vulnerabilities the same and patch them in a (more than) timely manner. There are numerous stories about years-old vulnerabilities being exploited, so you don't want any nasty surprises down the track.

Requirement 6 is broken down into several points:

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

6.2 Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

6.3 Develop internal and external software applications including web-based administrative access to applications in accordance with PCI DSS and based on industry best practices. Incorporate information security throughout the software development life cycle. This applies to all software developed internally as well as bespoke or custom software developed by a third party.

6.4 Follow change control processes and procedures for all changes to system components. Ensure all 18 relevant PCI DSS requirements are implemented on new or changed systems and networks after significant changes.

6.5 Prevent common coding vulnerabilities in software development processes by training developers in secure coding techniques and developing applications based on secure coding guidelines – including how sensitive data is handled in memory.

6.6 Ensure all public-facing web applications are protected against known attacks, either by performing application vulnerability assessment at least annually and after any changes, or by installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.

6.7 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

The best way to comply with Requirement 6 (and all PCI DSS Requirements) is to employ the services of a QSA, of there are more than 380 around the world. One point - 6.1 - can be achieved with a vulnerability tracking service, such as SecAlerts (which matches vulnerabilities - CVEs - to your software).

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203