Requirement 6.3.3: Separation of duties between development/test and production environments. There is a separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Requirement 6.3.7: Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle required by PCI DSS Requirement 6.3. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS requirement 6.6.
Requirement 6.3.7.a: Obtain and review policies to confirm all custom application code changes for internal applications must be reviewed (either using manual or automated processes), as follows:
- Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
- Appropriate corrections are implemented prior to release.
- Code review results are reviewed and approved by management prior to release.