Is source code scanning required for PCI Compliance?

Jul. 31, 2019
written by nucleaus

Let's start with the basics...What is PCI and why is it important?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit cards. The standard was created to increase controls around cardholder data to reduce fraud. Validation of compliance is performed annually or quarterly.

It is a PCI DSS requirement to have a secure development lifecycle. Requirements states:

  • Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices.
  • Code reviews ensure code is developed according to secure coding guidelines
  • Appropriate corrections are implemented prior to release.
  • Code-review results are reviewed and approved by management prior to release.

This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.

By using Nucleaus™, you will meet the PCI DDS requirements and will have reports that can be used for the validation of compliance.