Requirement 6: Develop and Maintain Secure Systems and Software
Actors with bad intentions can use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor
provided security patches, which must be installed by the entities that manage the systems. All system components must have all appropriate
software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software.
Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict
with existing security configurations. For bespoke and custom software, numerous vulnerabilities can be avoided by applying software lifecycle
(SLC) processes and secure coding techniques.
Code repositories that store application code, system configurations, or other configuration data that can impact the security of account data or
the CDE are in scope for PCI DSS assessments.
Go on to Requirement 7 - Restricted Access.
Go back to Requirement 5 - Anti Virus and Malware.