The latest version of the Payment Card Industry Data Security Standard (PCI DSS), version 4.0, was released in March 2022. Although the requirements won't take effect until 2025, it's crucial to start preparing now.
Read More About PCI Training: Free vs. Paid PCI Training: Which Is Best For Your Organization?
This article will focus on PCI DSS v4.0 requirements 6.2.2, 6.2.3, and 6.2.4 and how secure coding training can help you meet them.
The PCI DSS is a set of security requirements that organizations must meet when storing, processing, or transmitting cardholder data. The PCI DSS is designed to help organizations protect cardholder data from unauthorized access, use, disclosure, modification, or destruction.
PCI DSS v4.0 was released in March 2022 and is the most significant update to the standard since its release in 2006. PCI DSS v4.0 introduces several new requirements and updates to existing requirements.
The newest version of PCI DSS has not been immediately implemented; PCI has released a timeline for implementation requirements:
Note that organizations that have already been assessed as compliant with PCI DSS 3.2.1 will be granted a one-year grace period to comply with PCI DSS 4.0. This means these organizations will not need to be re-assessed until March 31, 2025.
Here are some of the key changes in PCI DSS v4.0:
Read More About PCI Training: 6 Steps To Facilitate PCI DSS Awareness Training
Many updates and new requirements in PCI DSS v4.0 can be met with continuous secure coding training for your SDLC.
Secure coding training typically covers topics such as common software vulnerabilities, secure coding best practices, and how to use security tools and techniques to find and fix vulnerabilities in software. It may also cover specific programming languages and frameworks and how to write secure code in those contexts.
Read More About Secure Coding Training: What Is Secure Coding Training?
Let’s look at how secure coding training can help meet PCI DSS 6.2.2, 6.2.3, and 6.2.4:
PCI DSS v4.0 6.2.2 states:
“Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.”
This means that software development personnel are trained annually on:
More specific guidelines have been given in PCI DSS v4.0 on how developers should be trained. The training guidelines (stated above) can be easily achieved when you partner with a secure coding training partner for a continuous secure coding training program.
A yearly OWASP Top 10 training will only meet some of the requirements outlined in 6.2.2, and depending on your organization, you may need a solution to meet different languages, technologies, and frameworks in addition to common vulnerabilities and tools.
PCI DSS v4.0 6.2.3 states:
“Having code reviewed by someone other than the original author, who is both experienced in code reviews and knowledgeable about secure coding practices, minimizes the possibility that code containing security or logic errors that could affect the security of cardholder data is released into a production environment. Requiring management approval that the code was reviewed limits the ability for the process to be bypassed.”
This means that software is supposed to be reviewed before being released into production to identify correct potential coding vulnerabilities as follows:
Code reviews are a common practice within the code development process; according to a recent EMA report, 95.3% of organizations utilize code reviews for secure coding.
Read More About Code Reviews: How To Improve Your Code Reviews
But how do you ensure your code reviews are effective and that your reviewers can detect existing and emerging vulnerabilities? The answer is to train your employees tasked with code reviews continually. The key you should know about code reviews – the review is only as good as the reviewer.
Secure coding training can improve code reviews by providing developers with the knowledge and skills to write more secure, higher-quality code. By doing so, developers can reduce the number of security issues that need to be identified and corrected during code reviews, making the process more efficient and effective.
PCI DSS v4.0 6.2.4 states:
“Bespoke and custom software cannot be exploited via common attacks and related vulnerabilities.”
This means that software engineering techniques should be used to prevent or mitigate common software attacks, including:
It may seem pretty straightforward to say, ‘Don’t let your code be exploited,’ but what this requirement comes down to is the ability to show that your organization did what it could to prevent your code from being exploited by common attacks (aka OWASP Top 10).
The best way to learn how to prevent exploitations and attacks is through – you guessed it – continuous secure coding training. Hands-on training activities will help your developers learn the theory behind preventing attacks and practice breaking and fixing code to better understand how code can be exploited.
By leveraging Security Journey's training platform, organizations can drive PCI training success by providing highly effective, engaging, and customizable training programs that enable employees to learn and apply the best practices for securing payment card information.
If you’re ready for your next step, contact our team today to learn how secure coding training can be the foundation of an effective application security program at your organization.