6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
• In accordance with PCI DSS (for example, secure authentication and logging)
• Based on industry standards and/or best practices.
• Incorporating information security throughout the software-development life cycle
Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party.
6.3.a Examine written software-development processes to verify that the processes are based on industry standards and/or best practices.
6.3.b Examine written software-development processes to verify that information security is included throughout the life cycle.
6.3.c Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS.
6.3.d Interview software developers to verify that written software-development processes are implemented.
Without the inclusion of security during the requirements definition, design, analysis, and testing phases of software development, security vulnerabilities can be inadvertently or maliciously introduced into the production environment.
Understanding how sensitive data is handled by the application—including when stored, transmitted, and when in memory—can help identify where data needs to be protected.