Requirement 6: Develop and Maintain Secure Systems and Applications
Change control procedures must include the following:
PCI DSS Requirement |
How SAKA Meets this Requirement |
---|---|
6.4.5.1—Documentation of impact |
For the impact on PANs, this requirement must be fulfilled by customer sites. StrongKey evaluates the potential impact of changes to SAKA components, to ensure that the security of the appliance is not compromised. |
6.4.5.2—Documented change approval by authorized parties |
For changes to system components in the customer's infrastructure, this requirement must be fulfilled by customers. Any changes to SAKA components are always signed off by StrongKey management before implementation. |
6.4.5.3—Functionality testing to verify that the change does not adversely impact the security of the system |
For customer infrastructure, this requirement must be fulfilled by customers. All changes to SAKA components are tested before release to customers. |
6.4.5.4—Back-out procedures |
For customer infrastructure, this requirement must be fulfilled by customers. SAKA software is maintained in a software repository under the control of strong authentication. Any change that jeopardizes the integrity of the SAKA appliance can be backed out to a previous release at any time. |