5.3 Software vendor must follow change control procedures for all product software configuration changes. The procedures must include the following:
[ul]
[li] 5.3.1 Documentation of impact[/li][li] 5.3.2 Management sign-off by appropriate parties[/li][li] 5.3.3 Testing of operational functionality[/li][li] 5.3.4 Back-out or product de-installation procedures[/li][/ul]
PCI Data Security Standard Requirement 6.4
Testing Procedures:
5.3.a Obtain and examine the vendor’s change-control procedures for software modifications, and verify that the procedures require items 5.3.1–5.3.4 below.
5.3.b Examine recent payment application changes, and trace those changes back to related change control documentation. Verify that, for each change examined, the following was documented according to the change control procedures:
[ul]
[li]5.3.1 Verify that documentation of customer impact is included in the change control documentation for each change.[/li][li]5.3.2 Verify that management sign-off by appropriate parties is present for each change.[/li][li]5.3.3 Verify that operational functionality testing was performed for each change.[/li][li]5.3.4 Verify that back-out or product de-installation procedures are prepared for each change.[/li][/ul]