5.1.7 Review of payment application code prior to release to customers after any significant change, to identify any potential coding vulnerability.
Testing Procedures:
5.1.7.a Confirm the vendor performs code reviews, and that individuals other than the originating author of the code perform the reviews. Alternatively, confirm that vendor uses a tool that analyzes code for security vulnerabilities.
5.1.7.b Confirm that code reviews or analyses occur for new code as well as for code changes
5.1.7.c Confirm that a documented code review/analysis process is followed, and that the process includes:
[ul]
[li]Code reviews are based on industry best practices
[/li][li]Code review results are reviewed by management or someone other than the code reviewer
[/li][li]Management approves code review results
[/li][li]Code is corrected prior to release according to code review results.
[/li][/ul]
5.1.7.d Confirm that all payment application components are reviewed by an organization that specializes in application code security. Alternatively, confirm that individuals who use the code analysis tool are knowledgeable in their use of the tool and implement appropriate corrections.
Note that this organization can be either a third-party company or an internal organization, as long as the code is reviewed by individuals who specialize in application code security and can demonstrate independence from the development team.