
When it comes to secure software development, compliance standards like PCI DSS v4.0.1 play a crucial role in protecting payment card data. One of the key requirements under this framework is Requirement 6.3.2, which ensures that security vulnerabilities in custom software are identified and addressed before deployment.
In this blog, we’ll break down Requirement 6.3.2, why it matters, and how organizations can effectively implement it to strengthen their software security.
What Is Requirement 6.3.2?
PCI DSS Requirement 6.3.2 states: "Security vulnerabilities are identified and addressed prior to the release of custom software to production."
What This Means ?
If you’re developing or deploying custom applications that handle payment card data, you must proactively identify and fix security vulnerabilities before the software goes live. This step is crucial in preventing security flaws from being exploited in production environments.
Why Is This Important?
With cyber threats constantly evolving, attackers frequently target weaknesses in applications, such as:
- SQL Injection (SQLi) – Exploiting input fields to manipulate databases.
- Cross-Site Scripting (XSS) – Injecting malicious scripts into web pages viewed by users.
- Insecure Authentication Mechanisms – Weak login processes leading to credential leaks.
By ensuring security vulnerabilities are resolved before deployment, organizations reduce the risk of breaches, data theft, and compliance violations.
Case Study: What Happens When Software Security Fails?
In 2018, British Airways suffered a massive data breach when attackers exploited a vulnerability in their web application. Hackers injected malicious scripts that intercepted payment card details from over 400,000 customers. The root cause? Unpatched vulnerabilities in their software.
Had a rigorous security testing process been in place (aligned with Requirement 6.3.2), British Airways could have prevented this costly breach, which led to a £20 million fine under GDPR.
How to Comply with Requirement 6.3.2
To meet this requirement, organizations must implement a structured security testing approach within their Software Development Lifecycle (SDLC).
1. Perform Security Testing in Development :  Before deploying custom software, conduct,
- Static Application Security Testing (SAST): Analyzes source code for vulnerabilities early in development.
- Dynamic Application Security Testing (DAST): Tests the running application for security flaws in real-world conditions.
- Software Composition Analysis (SCA): Identifies vulnerabilities in open-source libraries and third-party dependencies.
Pro Tip: Automate security testing within your DevSecOps pipeline to identify vulnerabilities faster and reduce manual effort.
2. Conduct Vulnerability Assessments
A thorough security review should be part of your software development process. This includes:
- Automated vulnerability scanning of code and dependencies.
- Manual code reviews by security teams.
- Penetration testing to simulate real-world attack scenarios.
3. Implement Secure Coding Practices
Following secure coding guidelines reduces vulnerabilities before they appear. Consider:
- OWASP Top 10 best practices for web applications.
- CWE/SANS Top 25 for identifying common software weaknesses.
- CERT Secure Coding and NIST guidelines for coding standards.
4. Address Vulnerabilities Before Release
Any security issues found during testing must be fixed before deployment. Organizations should:
- Define severity levels for vulnerabilities (e.g., Critical, High, Medium, Low).
- Ensure critical vulnerabilities are patched before production release.
- Maintain a formal process to track and verify fixes.
5. Maintain Documentation and Audit Trails
PCI DSS compliance requires documentation of security efforts. Keep records of:
- Security testing reports
- Vulnerability assessments and remediation efforts
- Change control logs for software updates
This ensures compliance during PCI DSS audits and supports continuous security improvement.
How Does 6.3.2 Fit Into the Bigger Picture?
Requirement 6.3.2 is part of a broader PCI DSS initiative to secure custom software development. It works alongside:
- Requirement 6.2 – Keeping software and systems updated with security patches.
- Requirement 6.4 – Change management and security impact assessment before software changes.
- Requirement 11.3 – Regular penetration testing to identify security gaps.
By integrating secure coding, vulnerability testing, and patch management, organizations can achieve continuous security compliance and minimize cybersecurity risks.
Key Takeaways : 
- Requirement 6.3.2 mandates identifying and addressing security vulnerabilities before software is released.
- Security testing (SAST, DAST, SCA) is crucial to detecting and fixing issues early.
- Vulnerability assessments and secure coding practices must be embedded in the SDLC.
- Critical vulnerabilities must be patched before production to ensure compliance.
- Proper documentation and audit trails are required for PCI DSS validation.
By following these best practices, businesses can build secure, compliant software that protects payment card data and reduces cybersecurity risks.
Next Steps: Strengthen Your PCI DSS Compliance
Is your organization developing custom software? Now is the time to:
- Review your current security testing processes.
- Implement a structured vulnerability management approach.
- Train developers on secure coding best practices.
Need expert guidance?
QRC Assurance helps businesses achieve PCI DSS compliance with tailored security assessments, training, and implementation support.
Contact us today to ensure your software development aligns with PCI DSS best practices!