[PCI DSS 1.x] 6.3.7 Review of custom code prior to release to production or customers in order to identify any pot

6.3.7.a Obtain and review any written or other policies to confirm that code reviews are required and must be performed by individuals other then originating code author
6.3.7.b Verify code reviews are conducted for new code and after code changes
Note: This requirement applies to code reviews for custom software development, as part of the System Development Life Cycle (SDLC) . these reviews can be conducted by internal personnel. Custom code for web-facing applications will be subject to additional controls as of June 30, 2008 . see PCI DSS requirement 6.6 for details.

Hi, I would like to know what kind of evidences will be necessary in order to prove that source code is being reviewed.
On the other hand, our application is a client/server aplication, where the client part just contains user interface and is web application. Server side is cobol programs runing in a Z/Os mainframe with CICS as transaction server, and we use MQSeries to comunicate client side with server side. All data is stored under DB2 tables in the mainframe.
Do we have to review the client side, or the server side or both?

Thanks a lot.