[PCI DSS 1.x] 6.1 Ensure that all system components and software have the latest vendor-supplied securit

[PCI-DSS] 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.

[I]Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.

[/I] 6.1.a For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security patch list, to verify that current vendor patches are installed.

6.1.b Examine policies related to security patch installation to verify they require installation of all critical new security patches within one month.

Question - ‘all’ is not reasonable. What is a good number for ‘all’? 80%, 90%?

6.1 means that the sample you’ve chosen within the PCI environment must be up to date with critical patches. Without the use of a compensating control, there is no reasonableness allowed for a QSA to sign off on a attestation of compliance if this requirement is not met. This objective should coinside with internal vulnerability scans from the ASV if done correctly.

There is no requirement for an ASV to do the internal vulnerability scans.

The intent is not to test 100% of ALL systems. The intent is that the assessor determines that ALL systems are being updated within 30 days.

An assessor may choose a sampling method that reasonably determines that ALL systems are patched within 30 days, or that a risk-based approach is in use to prioritize patching. This sampling may include reviewing the policies and procedures, interviewing appropriate personnel, and then testing a sample of systems to ensure that the patching requirements of PCI DSS are working. An assessor must engage brain.

Per my original post, I stated the sample chosen which should imply the assessor does not have to test 100% of the PCI environment. I did mistate the use of an ASV, however even with a traditional (non-ASV) vulnerability scan for the internal network which is required, it can be used as supporting evidence for 6.1.

To meet this objective, the assessor must chose a sample of systems to test, obtain the software patching procedures from the client and then test the sample. --This requirement should not include interview of personnel per the PCI scoring requirement.

The sampling methodology that you use for this requirement should follow the same guidelines from 1.x and 2.x sampling. You need to pick a sample that represents; operating systems used (ie. Windows 2003 sp1, Windows 2008) and device/server function. The sample should include servers and network componets that are inscope.

The assessment procedure does not require nor does it exclude an interview. Reviewing the policy, asking someone what they do (does it match the policy?) and then a sample to see if they actually do it is a good way to assess.

source code assessment in 6.1


If we develop a payments application. Is source code vulnerability scanning (there are solutions providing static & dinamic code analysis) is a requirement of 6.1 for us?