What is PCI DSS Requirement 6.1?
There are 12 PCI DSS Requirements that need to be met to attain PCI compliance. One of those, Requirement 6, ensures that an entity has its software protected by up-to-date "vendor-provided security patches".
Requirement 6 has several dot points. The first - 6.1 - is officially described as:
"Establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. high, medium, or low) to newly discovered security vulnerabilities."
Unlike external and internal scans, which uncover vulnerabilities and are included in other PCI DSS Requirements, 6.1 requires an entity to actually patch these vulnerabilities, continuously. What's more, 6.1 doesn't need to be performed by an Approved Scanning Vendor (ASV), as is the case for external scans (Requirement 11.2.2), or part of other services that may be offered by a Qualified Security Assessor (QSA).
Patching vulnerabilities can be done manually via numerous sources, including software manufacturers, mailing lists and RSS feeds, or by using a service that specialises in doing this.
'Manually' may sound like a good way to save money but there are downsides. It can be time-consuming and lead to missed patches. For instance, manufacturers may release patches (CVEs) but leave it up to its users to search out the info themselves. If an entity uses dozens, or hundreds of software, missing one CVE can prove costly.
SecAlerts is a service that does the 'CVE searching' legwork for you. Clients choose their software from more than 32,000 on the SecAlerts website and receive one email alert (hourly, daily, weekly, bi-weekly, monthly) with all the CVEs - ranked in severity - for their software.
"Keeping your software up-to-date and secure is not only an integral part PCI compliance and Requirement 6.1," said SecAlerts co-founder, Louis Stowasser, "it's vital for a business' overall cybersecurity."