PCI-DSS Requirement 6 — Develop and Maintain Secure Systems and Software
Enforced by: PCI SSC
Current as of March 31, 2022
Plain Language Summary
Patch critical vulnerabilities within 1 month. Custom code must follow secure coding practices. Web applications must have WAF or undergo code review + pen testing.
All system components are protected from known vulnerabilities by installing applicable security patches and updates. Critical patches are installed within one month of release. Bespoke and custom software are developed securely using secure coding guidelines. Web-facing applications are protected against known attacks including those defined in OWASP Top 10. Third-party software inventories must be maintained and monitored for vulnerabilities.