Audit & Compliance Awareness

Timeline for PCI DSS 4.0: The Sixth Requirement and Maintaining Secure Systems

by Lazarus Alliance 0 Comment
Innovative PCI DSS audit assessment by Lazarus Alliance  

Software, whether a locale installation or a web application, carries the risk of attack. While phishing and other social engineering attacks are some of the most common forms of a system breach, hackers still go for open vulnerabilities in software, whether due to bugs or misconfigured settings. That’s why the sixth requirement of the PCI DSS 4.0 emphasizes the practices and policies that help maintain secure software. 

 

How Are Companies Securing Their Software?

The truth is there are some aspects of security that you can’t 100% prevent, namely those associated with social engineering or the vulnerabilities that come with extensive and diverse IT infrastructures. However, one of the positives of securing software is that, in many cases, you can approach the problem through solid best practices and some strategic automation. 

The challenges differ when you talk about different types of software. Generally speaking, PCI DSS will focus on one or both of the following software types: 

  • Out of the Box Software: This is your general-purpose, straight-from-the-vendor solution. With these kinds of software, you’ll often deal with default configurations and packages, so there is little difference between different installations outside of specific data and security.
  • Bespoke Software: Bespoke, or custom, purpose-built software, is a solution that’s–well, custom-made. Typically, this kind of software is built from the ground up for a specific organization or application, either in-house or by a third party. 

There is little wiggle room between these two categories (generally, when an out-of-the-box application is modified to fit specific needs). Still, for PCI DSS, the distinction is more important than the overlap. 

Across these categories, administrators and security professionals will focus on a few overarching approaches to threat detection and prevention:

  • Patching and Updating Strategies: Patching complex software isn’t just a matter of downloading the right files and pushing a button. Business goals, security issues, and overall functionality must be considered alongside security and compliance. Therefore, organizations will have sophisticated plans to help them maintain patched, secured, and efficient software.
  • Scanning, Audits, and Reviews: As new security threats emerge, software must always stay secure. As such, PCI DSS (and most other compliance standards) require that companies run regular audits and vulnerability scans of software, review results, and make changes based on the results of those scans.
  • Upgrades and Retirement: As new software is released or updated–and, subsequently, retired–it’s crucial that the organization has a plan to ensure that the transition is smooth, that security requirement are met, and that transitory operation (identity and authentication management, integration with other systems) are correctly implemented. 

 

What Is the Sixth Requirement for PCI DSS 4.0?

PCI DSS 4.0 sixth requirement

The sixth requirement is specifically about how an organization manages their software. It covers a range of procedures and practices that may ensure the safety of the software. This means addressing hacking and vulnerabilities on the front end and development and management on the back end.

 

6.1 – Defining Processes and Mechanisms for Maintaining Secure Software

  • Documentation: As with all requirements, compliant organizations must maintain compliance documentation, including well-recorded policies, procedures, and rules for conduct for relevant personnel.
  • Roles and Responsibilities: The organization must also have a hierarchy of positions and people in place to provide accountability and clarity of action related to software security. These responsibilities must align with the tenets of requirement six.

 

6.2 – Customer Software Security

  • Secure Development: Any custom (bespoke) software used to manage cardholder information or primary account numbers (PAN) must be developed based on industry standards, in accordance with PCI DSS requirements, and must include consideration of relevant IT security issues at every stage of its development lifecycle.
  • Developer Training: Any developers working on bespoke software must be trained (at least once every 12 months) on security relevant to their job function (including programming languages), secure design and programming techniques, and the use of relevant testing and vulnerability testing tools.
  • Reviewing Code: Code used in bespoke software must be reviewed before release to identify any errors in the code. Any changes made to that code during the review are reviewed and approved by management and individuals other than the writer of that code.
  • Security Techniques: Bespoke software development must incorporate techniques to prevent or mitigate common threats, including injection attacks, buffer or pointer overflows, attacks against weak encryption, attacks against unsecured APIs, cross-site scripting, attacks against authentication or authorization measures, and others. 

 

6.3 – Security Vulnerabilities Are Identified and Addressed

  • Managing Vulnerabilities: A compliant organization will identify vulnerabilities using industry-recognized sources, assign risk rankings to known vulnerabilities, use those rankings to identify high-risk vulnerabilities, and apply those risk rankings to both traditional and bespoke software.
  • Inventories: Organizations must maintain inventories of bespoke software as well as third-party software components for vulnerability management.
  • Patching and Updates: High-security patches, released for critical systems, must be installed within one month of release. Other patches must be installed within the timeframe suggested by the releasing entity. 

 

6.4 – Web Applications Are Protected Against Attacks

  • Protection for Web Applications: Emerging threats to web applications must be addressed on an ongoing basis. This includes manual or automatic vulnerability scanning (at least once every 12 months, conducted by a security entity specializing in application security) that includes all vulnerabilities given a risk rank following requirement 6.3. The organization may also opt to use an automated solution for continual detection that meets the requirements above and generates appropriate audit logs.
  • Automated Detection and Prevention: Automated technical vulnerability detection solutions must be in place for public-facing web applications to prevent web-based attacks. This solution must actively run, generate audit logs, remain up-to-date, and either block attacks or generate an alert for immediate investigation.
  • Management of Payment Page Scripts: Payment scripts loaded into consumer web browsers must include a method of authorization to ensure the script’s integrity (through mechanisms like a Content Security Policy (CSP) and an inventory of scripts with written justification for each.

 

6.5 – Changes Are Managed Securely

  • Rules and Procedures for Changes to Systems or Components: Any change to a system component includes a reason for that change, documentation of security impact and approval, testing to ensure the security of that change, and plans and procedures to revert to a secure state should the new or changed component results in security issues.
  • Compliance Confirmation: Documentation must be in place to demonstrate that the organization meets PCI software security requirements on new or changed systems.
  • Production Environments: Organizations must maintain separate and distinct production and pre-production environments, segregated with access controls. Each environment has separate roles and functions. PANs are not used in pre-production environments unless they are protected along PCI DSS guidelines and included as part of the overall development environment.

 

Prepare for PCI DSS 4.0 with Lazarus Alliance

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now. 

 

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form.

Download our company brochure.

Glowing Neon malware sign on a digital projection background.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading

Stay ahead of federal and industry security alerts with Lazarus Alliance. Featured

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading

Make sure that your software is secure with or without AI. Trust Lazarus Alliance. featured

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading

mnage security against insider threats with Lazarus Alliance. featured

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading

Manage identity security and compliance with a trusted partner in Lazarus Alliance. featured

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading

Harden security against new AI attack surfaces. Work with Lazarus Alliance. featured

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading

Stay ahead of CMMC changes with Lazarus Alliance. Featured

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading

Lazarus Alliance helps enterprises manage identity security and data governance.

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading

FedRAMP Authorization assessments from Lazarus Alliance. featured

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading

Get expert monitoring and security support with Lazarus Alliance featured

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading

No image Blank

Lazarus Alliance

Website: