Code Customization PCI-Compliance
Posted: Tue Aug 16, 2011 8:55 am
We started making the move to AC7 for PCI-Compliance and have found that there is tons more to it than having a certified cart. We are a small shop and I am the only developer on staff. We have integrated our central inventory system into AC5 and AC7 and made customizations to how data is shown in the UI. We are golden on most of the 200+ PCI-DSS SAQ-D requirements. However, after reading the section on customized code we brought in a PCI implementation consultant to help us understand the requirements.
Requirement 6.3.3: Separation of duties between development/test and production environments. There is a separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Requirement 6.3.7: Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle required by PCI DSS Requirement 6.3. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS requirement 6.6.
Requirement 6.3.7.a: Obtain and review policies to confirm all custom application code changes for internal applications must be reviewed (either using manual or automated processes), as follows:
Requirement 6.3.3: Separation of duties between development/test and production environments. There is a separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Requirement 6.3.7: Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle required by PCI DSS Requirement 6.3. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS requirement 6.6.
Requirement 6.3.7.a: Obtain and review policies to confirm all custom application code changes for internal applications must be reviewed (either using manual or automated processes), as follows:
- Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
- Appropriate corrections are implemented prior to release.
- Code review results are reviewed and approved by management prior to release.