PCI DSS v2.0 Change in Requirements 6.2 and 6.5.6

The PCI SSC is reminding QSAs that we’re just one month away from an important change to PCI DSS reporting requirements. June 30, 2012 is the day when aspects of Requirements 6.2 and 6.5.6 will shift from a best practice to required. The Council has mentioned a couple simple and common-sense guidelines that will help organisations meet the new requirements.

  • Risk rankings should be based on standards or best practices
  • Risks should be classified to facilitate remediation and by priority (e.g. high, moderate, low)

The requirements read as follows:

6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
Notes:

  • Risk rankings should be based on industry best practices. For example, criteria for ranking “High” risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as “critical,” and/or a vulnerability affecting a critical system component.
  • The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.

[…]
6.5.6 [Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:] All “High” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).
Note:

    This requirement is considered a best practice until June 30, 2012, after which it becomes a requirement.

The change in Requirement 6.2 is linked into other requirements:

2.2.b Verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.2.
[…]
10.4.a Verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.
[…]
11.2.1.b Review the scan reports and verify that the scan process includes rescans until passing results are obtained, or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
[…]
11.2.3.b Review scan reports and verify that the scan process includes rescans until:

  • For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS,
  • For internal scans, a passing result is obtained or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.

In addition the Council says that when 6.5.6 is applicable (pun not intended) due to application development there now must be a test phase to find vulnerabilities classified as “high” risk.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.