7.1 Software vendors must establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet) and to test their payment applications for vulnerabilities. Any underlying software or systems that are provided with or required by the payment application (e.g., web servers, 3rd-party libraries and programs) must be included in this process.
PCI Data Security Standard Requirement 6.2
Testing Procedures:
7.1.a Obtain and examine processes to identify new vulnerabilities and to test payment applications for new vulnerabilities. Verify the processes include:
[ul]
[li]Using outside sources for security vulnerability information[/li][li]Testing of payment applications for new vulnerabilities[/li][/ul]
7.1.b Verify that processes to identify new vulnerabilities and implement corrections into payment application apply to all software provided with or required by the payment application (e.g., web servers, 3rd-party libraries and programs).