Requirement 6.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 6. While it is important to define the specific policies or procedures called out in Requirement 6, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Requirement 6.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 6. While it is important to define the specific policies or procedures called out in Requirement 6, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Developing bespoke and custom software securely helps prevent the introduction of vulnerabilities during the development process. Using industry standards and best practices for secure development provides a foundation for building secure software.
Software development processes should incorporate security at every stage of the development lifecycle. Developers should be trained in secure coding practices and should have access to secure development resources and tools.
Software development personnel need to understand common software vulnerabilities and how to prevent them through secure coding practices. Without this knowledge, developers may inadvertently introduce vulnerabilities into the software.
Training should cover common vulnerabilities relevant to the programming languages and frameworks used, including those listed in industry resources such as the OWASP Top 10. Training should be provided at least annually and should be updated to reflect current threats.
Reviewing bespoke and custom software before release helps identify and correct security vulnerabilities before they can be exploited in production. Code reviews provide an opportunity to catch issues that automated tools may miss.
Code reviews should be performed by individuals other than the original developer. Both manual and automated review techniques should be used. Reviews should verify that code is developed according to secure coding guidelines and that common vulnerabilities have been addressed.
Manual code reviews complement automated tools by providing deeper analysis of business logic and complex security issues that automated tools may not detect. Having reviews performed by someone other than the original author provides an independent perspective.
Manual code reviews should focus on areas with the highest risk, including authentication, authorization, input validation, and data protection. Reviewers should have knowledge of secure coding practices and common vulnerabilities.
Understanding and addressing common software attack techniques helps developers build more resilient applications. By considering how attackers might exploit the software, developers can implement countermeasures during development rather than after deployment.
Development practices should address at minimum common vulnerabilities including injection attacks (SQL, LDAP, XPath, OS command), buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and cross-site scripting (XSS).
Common software attack techniques include injection attacks, buffer overflows, insecure cryptography, cross-site scripting, cross-site request forgery, and improper access controls.
Developing bespoke and custom software securely helps prevent the introduction of vulnerabilities during the development process. Using industry standards and best practices for secure development provides a foundation for building secure software.
Software development processes should incorporate security at every stage of the development lifecycle. Developers should be trained in secure coding practices and should have access to secure development resources and tools.
Software development personnel need to understand common software vulnerabilities and how to prevent them through secure coding practices. Without this knowledge, developers may inadvertently introduce vulnerabilities into the software.
Training should cover common vulnerabilities relevant to the programming languages and frameworks used, including those listed in industry resources such as the OWASP Top 10. Training should be provided at least annually and should be updated to reflect current threats.
Reviewing bespoke and custom software before release helps identify and correct security vulnerabilities before they can be exploited in production. Code reviews provide an opportunity to catch issues that automated tools may miss.
Code reviews should be performed by individuals other than the original developer. Both manual and automated review techniques should be used. Reviews should verify that code is developed according to secure coding guidelines and that common vulnerabilities have been addressed.
Manual code reviews complement automated tools by providing deeper analysis of business logic and complex security issues that automated tools may not detect. Having reviews performed by someone other than the original author provides an independent perspective.
Manual code reviews should focus on areas with the highest risk, including authentication, authorization, input validation, and data protection. Reviewers should have knowledge of secure coding practices and common vulnerabilities.
Understanding and addressing common software attack techniques helps developers build more resilient applications. By considering how attackers might exploit the software, developers can implement countermeasures during development rather than after deployment.
Development practices should address at minimum common vulnerabilities including injection attacks (SQL, LDAP, XPath, OS command), buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and cross-site scripting (XSS).
Common software attack techniques include injection attacks, buffer overflows, insecure cryptography, cross-site scripting, cross-site request forgery, and improper access controls.
Developing bespoke and custom software securely helps prevent the introduction of vulnerabilities during the development process. Using industry standards and best practices for secure development provides a foundation for building secure software.
Software development processes should incorporate security at every stage of the development lifecycle. Developers should be trained in secure coding practices and should have access to secure development resources and tools.
Software development personnel need to understand common software vulnerabilities and how to prevent them through secure coding practices. Without this knowledge, developers may inadvertently introduce vulnerabilities into the software.
Training should cover common vulnerabilities relevant to the programming languages and frameworks used, including those listed in industry resources such as the OWASP Top 10. Training should be provided at least annually and should be updated to reflect current threats.
Reviewing bespoke and custom software before release helps identify and correct security vulnerabilities before they can be exploited in production. Code reviews provide an opportunity to catch issues that automated tools may miss.
Code reviews should be performed by individuals other than the original developer. Both manual and automated review techniques should be used. Reviews should verify that code is developed according to secure coding guidelines and that common vulnerabilities have been addressed.
Manual code reviews complement automated tools by providing deeper analysis of business logic and complex security issues that automated tools may not detect. Having reviews performed by someone other than the original author provides an independent perspective.
Manual code reviews should focus on areas with the highest risk, including authentication, authorization, input validation, and data protection. Reviewers should have knowledge of secure coding practices and common vulnerabilities.
Understanding and addressing common software attack techniques helps developers build more resilient applications. By considering how attackers might exploit the software, developers can implement countermeasures during development rather than after deployment.
Development practices should address at minimum common vulnerabilities including injection attacks (SQL, LDAP, XPath, OS command), buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and cross-site scripting (XSS).
Common software attack techniques include injection attacks, buffer overflows, insecure cryptography, cross-site scripting, cross-site request forgery, and improper access controls.
Developing bespoke and custom software securely helps prevent the introduction of vulnerabilities during the development process. Using industry standards and best practices for secure development provides a foundation for building secure software.
Software development processes should incorporate security at every stage of the development lifecycle. Developers should be trained in secure coding practices and should have access to secure development resources and tools.
Software development personnel need to understand common software vulnerabilities and how to prevent them through secure coding practices. Without this knowledge, developers may inadvertently introduce vulnerabilities into the software.
Training should cover common vulnerabilities relevant to the programming languages and frameworks used, including those listed in industry resources such as the OWASP Top 10. Training should be provided at least annually and should be updated to reflect current threats.
Reviewing bespoke and custom software before release helps identify and correct security vulnerabilities before they can be exploited in production. Code reviews provide an opportunity to catch issues that automated tools may miss.
Code reviews should be performed by individuals other than the original developer. Both manual and automated review techniques should be used. Reviews should verify that code is developed according to secure coding guidelines and that common vulnerabilities have been addressed.
Manual code reviews complement automated tools by providing deeper analysis of business logic and complex security issues that automated tools may not detect. Having reviews performed by someone other than the original author provides an independent perspective.
Manual code reviews should focus on areas with the highest risk, including authentication, authorization, input validation, and data protection. Reviewers should have knowledge of secure coding practices and common vulnerabilities.
Understanding and addressing common software attack techniques helps developers build more resilient applications. By considering how attackers might exploit the software, developers can implement countermeasures during development rather than after deployment.
Development practices should address at minimum common vulnerabilities including injection attacks (SQL, LDAP, XPath, OS command), buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and cross-site scripting (XSS).
Common software attack techniques include injection attacks, buffer overflows, insecure cryptography, cross-site scripting, cross-site request forgery, and improper access controls.
Developing bespoke and custom software securely helps prevent the introduction of vulnerabilities during the development process. Using industry standards and best practices for secure development provides a foundation for building secure software.
Software development processes should incorporate security at every stage of the development lifecycle. Developers should be trained in secure coding practices and should have access to secure development resources and tools.
Software development personnel need to understand common software vulnerabilities and how to prevent them through secure coding practices. Without this knowledge, developers may inadvertently introduce vulnerabilities into the software.
Training should cover common vulnerabilities relevant to the programming languages and frameworks used, including those listed in industry resources such as the OWASP Top 10. Training should be provided at least annually and should be updated to reflect current threats.
Reviewing bespoke and custom software before release helps identify and correct security vulnerabilities before they can be exploited in production. Code reviews provide an opportunity to catch issues that automated tools may miss.
Code reviews should be performed by individuals other than the original developer. Both manual and automated review techniques should be used. Reviews should verify that code is developed according to secure coding guidelines and that common vulnerabilities have been addressed.
Manual code reviews complement automated tools by providing deeper analysis of business logic and complex security issues that automated tools may not detect. Having reviews performed by someone other than the original author provides an independent perspective.
Manual code reviews should focus on areas with the highest risk, including authentication, authorization, input validation, and data protection. Reviewers should have knowledge of secure coding practices and common vulnerabilities.
Understanding and addressing common software attack techniques helps developers build more resilient applications. By considering how attackers might exploit the software, developers can implement countermeasures during development rather than after deployment.
Development practices should address at minimum common vulnerabilities including injection attacks (SQL, LDAP, XPath, OS command), buffer overflows, insecure cryptographic storage, insecure communications, improper error handling, and cross-site scripting (XSS).
Common software attack techniques include injection attacks, buffer overflows, insecure cryptography, cross-site scripting, cross-site request forgery, and improper access controls.
New security vulnerabilities are constantly being discovered. Without a process to identify and manage these vulnerabilities, organizations may remain exposed to known security flaws that could be exploited.
Organizations should subscribe to vulnerability notification services, review vulnerability databases regularly, and have a process for assessing the risk of newly identified vulnerabilities to their environment. Critical and high vulnerabilities should be prioritized for remediation.
Sources for security vulnerability information include vendor security bulletins, the National Vulnerability Database (NVD), CVE databases, and industry-specific vulnerability tracking services.
Maintaining an inventory of bespoke and custom software helps organizations track what software they have developed and ensure it is all covered by the vulnerability management process. Without an inventory, some software components may be overlooked.
The software inventory should include all bespoke and custom software, as well as third-party software components and libraries incorporated into the software. The inventory should be kept up to date as software is added, modified, or removed.
Known security vulnerabilities in software are frequently exploited by attackers. Installing security patches promptly reduces the window of opportunity for exploitation and helps maintain the security of system components.
Critical security patches should be installed within one month of release. A process should be in place to evaluate, test, and deploy patches in a timely manner. If a patch cannot be applied immediately, compensating controls should be implemented to mitigate the risk.
New security vulnerabilities are constantly being discovered. Without a process to identify and manage these vulnerabilities, organizations may remain exposed to known security flaws that could be exploited.
Organizations should subscribe to vulnerability notification services, review vulnerability databases regularly, and have a process for assessing the risk of newly identified vulnerabilities to their environment. Critical and high vulnerabilities should be prioritized for remediation.
Sources for security vulnerability information include vendor security bulletins, the National Vulnerability Database (NVD), CVE databases, and industry-specific vulnerability tracking services.
Maintaining an inventory of bespoke and custom software helps organizations track what software they have developed and ensure it is all covered by the vulnerability management process. Without an inventory, some software components may be overlooked.
The software inventory should include all bespoke and custom software, as well as third-party software components and libraries incorporated into the software. The inventory should be kept up to date as software is added, modified, or removed.
Known security vulnerabilities in software are frequently exploited by attackers. Installing security patches promptly reduces the window of opportunity for exploitation and helps maintain the security of system components.
Critical security patches should be installed within one month of release. A process should be in place to evaluate, test, and deploy patches in a timely manner. If a patch cannot be applied immediately, compensating controls should be implemented to mitigate the risk.
New security vulnerabilities are constantly being discovered. Without a process to identify and manage these vulnerabilities, organizations may remain exposed to known security flaws that could be exploited.
Organizations should subscribe to vulnerability notification services, review vulnerability databases regularly, and have a process for assessing the risk of newly identified vulnerabilities to their environment. Critical and high vulnerabilities should be prioritized for remediation.
Sources for security vulnerability information include vendor security bulletins, the National Vulnerability Database (NVD), CVE databases, and industry-specific vulnerability tracking services.
Maintaining an inventory of bespoke and custom software helps organizations track what software they have developed and ensure it is all covered by the vulnerability management process. Without an inventory, some software components may be overlooked.
The software inventory should include all bespoke and custom software, as well as third-party software components and libraries incorporated into the software. The inventory should be kept up to date as software is added, modified, or removed.
Known security vulnerabilities in software are frequently exploited by attackers. Installing security patches promptly reduces the window of opportunity for exploitation and helps maintain the security of system components.
Critical security patches should be installed within one month of release. A process should be in place to evaluate, test, and deploy patches in a timely manner. If a patch cannot be applied immediately, compensating controls should be implemented to mitigate the risk.
Public-facing web applications are continuously targeted by new attack techniques and vulnerabilities. Addressing new threats on an ongoing basis helps ensure that these applications remain protected against known attacks.
Organizations should monitor for new threats and vulnerabilities affecting their web applications and implement protections promptly. This may include deploying web application firewalls, applying patches, or updating application code to address new vulnerabilities.
Automated technical solutions such as web application firewalls (WAFs) can detect and prevent web-based attacks in real time. WAFs provide an additional layer of protection for public-facing web applications beyond secure coding practices.
WAFs should be configured to detect and block common web attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. WAF rules should be updated regularly to address new threats. The WAF should be placed in front of public-facing web applications to inspect all traffic.
Payment page scripts can be modified by attackers to capture cardholder data as it is entered by the cardholder. Managing and monitoring scripts on payment pages helps prevent unauthorized modifications and protects cardholder data during entry.
All scripts loaded and executed on payment pages should be authorized, have their integrity verified, and be inventoried. A mechanism should be in place to detect unauthorized modifications to scripts. Content Security Policy (CSP) headers and Subresource Integrity (SRI) can help manage and verify payment page scripts.
Public-facing web applications are continuously targeted by new attack techniques and vulnerabilities. Addressing new threats on an ongoing basis helps ensure that these applications remain protected against known attacks.
Organizations should monitor for new threats and vulnerabilities affecting their web applications and implement protections promptly. This may include deploying web application firewalls, applying patches, or updating application code to address new vulnerabilities.
Automated technical solutions such as web application firewalls (WAFs) can detect and prevent web-based attacks in real time. WAFs provide an additional layer of protection for public-facing web applications beyond secure coding practices.
WAFs should be configured to detect and block common web attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. WAF rules should be updated regularly to address new threats. The WAF should be placed in front of public-facing web applications to inspect all traffic.
Payment page scripts can be modified by attackers to capture cardholder data as it is entered by the cardholder. Managing and monitoring scripts on payment pages helps prevent unauthorized modifications and protects cardholder data during entry.
All scripts loaded and executed on payment pages should be authorized, have their integrity verified, and be inventoried. A mechanism should be in place to detect unauthorized modifications to scripts. Content Security Policy (CSP) headers and Subresource Integrity (SRI) can help manage and verify payment page scripts.
Public-facing web applications are continuously targeted by new attack techniques and vulnerabilities. Addressing new threats on an ongoing basis helps ensure that these applications remain protected against known attacks.
Organizations should monitor for new threats and vulnerabilities affecting their web applications and implement protections promptly. This may include deploying web application firewalls, applying patches, or updating application code to address new vulnerabilities.
Automated technical solutions such as web application firewalls (WAFs) can detect and prevent web-based attacks in real time. WAFs provide an additional layer of protection for public-facing web applications beyond secure coding practices.
WAFs should be configured to detect and block common web attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. WAF rules should be updated regularly to address new threats. The WAF should be placed in front of public-facing web applications to inspect all traffic.
Payment page scripts can be modified by attackers to capture cardholder data as it is entered by the cardholder. Managing and monitoring scripts on payment pages helps prevent unauthorized modifications and protects cardholder data during entry.
All scripts loaded and executed on payment pages should be authorized, have their integrity verified, and be inventoried. A mechanism should be in place to detect unauthorized modifications to scripts. Content Security Policy (CSP) headers and Subresource Integrity (SRI) can help manage and verify payment page scripts.
Without a formal change control process, changes to system components may introduce vulnerabilities or disrupt critical business processes. Change control processes help ensure that all changes are properly planned, tested, approved, and documented.
The change control process should include documentation of the change, impact analysis, approval by authorized personnel, testing in a non-production environment, and back-out procedures. Changes should be tested for security impact before deployment.
Using production data in development and test environments can expose sensitive data to personnel who do not need access to it. Separating development/test environments from production helps protect production data and systems.
Development and test environments should be separate from production environments. Production data, especially PANs, should not be used in development or test environments. If production data must be used, it should be sanitized or masked before use.
Using production data for testing can expose sensitive account data to unauthorized individuals. Pre-production environments typically have weaker security controls than production environments, increasing the risk of exposure.
Test data and accounts should be removed before production systems become active. If production data must be used for testing, it should be sanitized by masking, truncating, or randomizing sensitive data elements before use.
Reviewing custom code before deployment to production helps identify and correct security vulnerabilities before they can be exploited. This is especially important for changes to bespoke and custom software.
Code reviews should cover all custom code changes before deployment to production. Reviews should verify that code is developed in accordance with secure coding guidelines and that common vulnerabilities have been addressed.
Development and pre-production environments may have different configurations and security settings than production. Understanding these differences helps ensure that security controls are not inadvertently weakened when changes are promoted to production.
Development environments should mirror production security configurations as closely as possible. Known differences should be documented and considered during the change management process.
Test data and accounts that remain in production systems can be exploited by attackers. Removing test data and accounts before systems go live helps prevent unauthorized access and reduces the attack surface.
A process should be in place to verify that all test data, test accounts, and custom application accounts used during development are removed or disabled before the system is deployed to production.
Without a formal change control process, changes to system components may introduce vulnerabilities or disrupt critical business processes. Change control processes help ensure that all changes are properly planned, tested, approved, and documented.
The change control process should include documentation of the change, impact analysis, approval by authorized personnel, testing in a non-production environment, and back-out procedures. Changes should be tested for security impact before deployment.
Using production data in development and test environments can expose sensitive data to personnel who do not need access to it. Separating development/test environments from production helps protect production data and systems.
Development and test environments should be separate from production environments. Production data, especially PANs, should not be used in development or test environments. If production data must be used, it should be sanitized or masked before use.
Using production data for testing can expose sensitive account data to unauthorized individuals. Pre-production environments typically have weaker security controls than production environments, increasing the risk of exposure.
Test data and accounts should be removed before production systems become active. If production data must be used for testing, it should be sanitized by masking, truncating, or randomizing sensitive data elements before use.
Reviewing custom code before deployment to production helps identify and correct security vulnerabilities before they can be exploited. This is especially important for changes to bespoke and custom software.
Code reviews should cover all custom code changes before deployment to production. Reviews should verify that code is developed in accordance with secure coding guidelines and that common vulnerabilities have been addressed.
Development and pre-production environments may have different configurations and security settings than production. Understanding these differences helps ensure that security controls are not inadvertently weakened when changes are promoted to production.
Development environments should mirror production security configurations as closely as possible. Known differences should be documented and considered during the change management process.
Test data and accounts that remain in production systems can be exploited by attackers. Removing test data and accounts before systems go live helps prevent unauthorized access and reduces the attack surface.
A process should be in place to verify that all test data, test accounts, and custom application accounts used during development are removed or disabled before the system is deployed to production.
Without a formal change control process, changes to system components may introduce vulnerabilities or disrupt critical business processes. Change control processes help ensure that all changes are properly planned, tested, approved, and documented.
The change control process should include documentation of the change, impact analysis, approval by authorized personnel, testing in a non-production environment, and back-out procedures. Changes should be tested for security impact before deployment.
Using production data in development and test environments can expose sensitive data to personnel who do not need access to it. Separating development/test environments from production helps protect production data and systems.
Development and test environments should be separate from production environments. Production data, especially PANs, should not be used in development or test environments. If production data must be used, it should be sanitized or masked before use.
Using production data for testing can expose sensitive account data to unauthorized individuals. Pre-production environments typically have weaker security controls than production environments, increasing the risk of exposure.
Test data and accounts should be removed before production systems become active. If production data must be used for testing, it should be sanitized by masking, truncating, or randomizing sensitive data elements before use.
Reviewing custom code before deployment to production helps identify and correct security vulnerabilities before they can be exploited. This is especially important for changes to bespoke and custom software.
Code reviews should cover all custom code changes before deployment to production. Reviews should verify that code is developed in accordance with secure coding guidelines and that common vulnerabilities have been addressed.
Development and pre-production environments may have different configurations and security settings than production. Understanding these differences helps ensure that security controls are not inadvertently weakened when changes are promoted to production.
Development environments should mirror production security configurations as closely as possible. Known differences should be documented and considered during the change management process.
Test data and accounts that remain in production systems can be exploited by attackers. Removing test data and accounts before systems go live helps prevent unauthorized access and reduces the attack surface.
A process should be in place to verify that all test data, test accounts, and custom application accounts used during development are removed or disabled before the system is deployed to production.
Without a formal change control process, changes to system components may introduce vulnerabilities or disrupt critical business processes. Change control processes help ensure that all changes are properly planned, tested, approved, and documented.
The change control process should include documentation of the change, impact analysis, approval by authorized personnel, testing in a non-production environment, and back-out procedures. Changes should be tested for security impact before deployment.
Using production data in development and test environments can expose sensitive data to personnel who do not need access to it. Separating development/test environments from production helps protect production data and systems.
Development and test environments should be separate from production environments. Production data, especially PANs, should not be used in development or test environments. If production data must be used, it should be sanitized or masked before use.
Using production data for testing can expose sensitive account data to unauthorized individuals. Pre-production environments typically have weaker security controls than production environments, increasing the risk of exposure.
Test data and accounts should be removed before production systems become active. If production data must be used for testing, it should be sanitized by masking, truncating, or randomizing sensitive data elements before use.
Reviewing custom code before deployment to production helps identify and correct security vulnerabilities before they can be exploited. This is especially important for changes to bespoke and custom software.
Code reviews should cover all custom code changes before deployment to production. Reviews should verify that code is developed in accordance with secure coding guidelines and that common vulnerabilities have been addressed.
Development and pre-production environments may have different configurations and security settings than production. Understanding these differences helps ensure that security controls are not inadvertently weakened when changes are promoted to production.
Development environments should mirror production security configurations as closely as possible. Known differences should be documented and considered during the change management process.
Test data and accounts that remain in production systems can be exploited by attackers. Removing test data and accounts before systems go live helps prevent unauthorized access and reduces the attack surface.
A process should be in place to verify that all test data, test accounts, and custom application accounts used during development are removed or disabled before the system is deployed to production.
Without a formal change control process, changes to system components may introduce vulnerabilities or disrupt critical business processes. Change control processes help ensure that all changes are properly planned, tested, approved, and documented.
The change control process should include documentation of the change, impact analysis, approval by authorized personnel, testing in a non-production environment, and back-out procedures. Changes should be tested for security impact before deployment.
Using production data in development and test environments can expose sensitive data to personnel who do not need access to it. Separating development/test environments from production helps protect production data and systems.
Development and test environments should be separate from production environments. Production data, especially PANs, should not be used in development or test environments. If production data must be used, it should be sanitized or masked before use.
Using production data for testing can expose sensitive account data to unauthorized individuals. Pre-production environments typically have weaker security controls than production environments, increasing the risk of exposure.
Test data and accounts should be removed before production systems become active. If production data must be used for testing, it should be sanitized by masking, truncating, or randomizing sensitive data elements before use.
Reviewing custom code before deployment to production helps identify and correct security vulnerabilities before they can be exploited. This is especially important for changes to bespoke and custom software.
Code reviews should cover all custom code changes before deployment to production. Reviews should verify that code is developed in accordance with secure coding guidelines and that common vulnerabilities have been addressed.
Development and pre-production environments may have different configurations and security settings than production. Understanding these differences helps ensure that security controls are not inadvertently weakened when changes are promoted to production.
Development environments should mirror production security configurations as closely as possible. Known differences should be documented and considered during the change management process.
Test data and accounts that remain in production systems can be exploited by attackers. Removing test data and accounts before systems go live helps prevent unauthorized access and reduces the attack surface.
A process should be in place to verify that all test data, test accounts, and custom application accounts used during development are removed or disabled before the system is deployed to production.
Without a formal change control process, changes to system components may introduce vulnerabilities or disrupt critical business processes. Change control processes help ensure that all changes are properly planned, tested, approved, and documented.
The change control process should include documentation of the change, impact analysis, approval by authorized personnel, testing in a non-production environment, and back-out procedures. Changes should be tested for security impact before deployment.
Using production data in development and test environments can expose sensitive data to personnel who do not need access to it. Separating development/test environments from production helps protect production data and systems.
Development and test environments should be separate from production environments. Production data, especially PANs, should not be used in development or test environments. If production data must be used, it should be sanitized or masked before use.
Using production data for testing can expose sensitive account data to unauthorized individuals. Pre-production environments typically have weaker security controls than production environments, increasing the risk of exposure.
Test data and accounts should be removed before production systems become active. If production data must be used for testing, it should be sanitized by masking, truncating, or randomizing sensitive data elements before use.
Reviewing custom code before deployment to production helps identify and correct security vulnerabilities before they can be exploited. This is especially important for changes to bespoke and custom software.
Code reviews should cover all custom code changes before deployment to production. Reviews should verify that code is developed in accordance with secure coding guidelines and that common vulnerabilities have been addressed.
Development and pre-production environments may have different configurations and security settings than production. Understanding these differences helps ensure that security controls are not inadvertently weakened when changes are promoted to production.
Development environments should mirror production security configurations as closely as possible. Known differences should be documented and considered during the change management process.
Test data and accounts that remain in production systems can be exploited by attackers. Removing test data and accounts before systems go live helps prevent unauthorized access and reduces the attack surface.
A process should be in place to verify that all test data, test accounts, and custom application accounts used during development are removed or disabled before the system is deployed to production.