Maintain a vulnerability Management Program

Vulnerability management is the process of systematically and continuously finding weaknesses in an organization’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.

Requirement 5: Use and regularly update anti-virus software

Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

Section PCI Requirement Comments Provided by Artsman Cloud
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers). See specifics for SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. You must keep your anti-virus software up to date with latest definitions SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

For Theatre Manager database and TM server, ensure those processes are the only thing running on the machine. Keep them separate from a domain server to limit who can actually log in to the server.

Check with the vendor of other systems in use.

  • Artsman: Process isolation is used extensively and services are continuously monitored
  • Customer: Workstations must be audited
5.2 Ensure that all anti-virus mechanisms are maintained as follows:   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

Note: Anti-virus solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

  • Artsman: Web sales and database
  • Customer: Workstations
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.   SPLIT
  • Artsman: This documentation and staff training
  • Customer: Own staff training

Requirement 6: Develop and maintain secure systems and applications

Develop and maintain secure systems and applications

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.

Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

Section PCI Requirement Comments Provided by Artsman Cloud
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as 'high', 'medium', or 'low') to newly discovered security vulnerabilities.

Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization's environment and risk- assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a "high risk" to the environment. In addition to the risk ranking, vulnerabilities may be considered "critical" if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.

  • Artsman: Web sales and database
  • Customer: Workstations
6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Note: Critical security patches should be identifies according to the risk ranking process defined in requirement 6.1

There are two settings in Company Preferences Other Tab that enable:
  • checking daily for updates to TM processes and/or
  • automatically update affected components (optional).
You may need to enable a specific outbound ports for update checking to

Refer to the list of past and present issues to assist you updating your own vulnerability assessment.

We regularly review Postgres, NGINX & OpenSSL to provide the latest patches in each version our installers.

  • Artsman: Web sales and database
  • Customer: Workstations
6.3 Develop internal and external software application (including web-based administrative access to applications) securely, as follows:
  • in accordance with PCI DSS (for example, secure authentication and logging)
  • based on industry standard and/or best practices.
  • Incorporating information security throughout the software development life cycle.

Note: this applies to all software developed internally as well as bespoke or custom software developed by a third party.

  • Artsman: Web sales and database
  • Customer: Workstations
6.3.1 Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.   N/A
6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:
  • Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices
  • Code reviews ensure code is developed according to secure coding guidelines
  • Appropriate corrections are implemented prior to release
  • Code-review results are reviewed and approved by management prior to release
6.4 Follow change control procedures for all changes to system components. The procedures must include the following:   SPLIT
  • Artsman: Theatre Manager applications, web sales and database
  • Customer: Workstations
6.4.1 Separate development/test and production environments and enforce the separation with access controls  
6.4.2 Separation of duties between development/test and production environments  
6.4.3 Production data (live PANs) are not used for testing or development Only specified test cards are used
6.4.4 Removal of test data and accounts before production systems become active  
6.4.5 Change control procedures for the implementation of security patches and software modifications. Procedures must include the following: Documentation of impact Documented change approval by authorized parties. Functionality testing to verify that the change does not adversely impact the security of the system. Back-out procedures. Development uses git and branches so that changes can be reverted.
6.5 Address common coding vulnerabilities in software development process as follows:
  • Train developers in secure coding techniquies, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory
  • Develop applications based on secure coding guidelines

Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.

Refer to Current OWASP Top 10 SPLIT
  • Artsman: Applications and default web page templates
  • Customer: Customized web page templates
6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws
6.5.2 Buffer overflow
6.5.3 Insecure cryptographic storage
6.5.4 Insecure communications
6.5.5 Improper error handling
6.5.6 All 'high risk' vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
6.5.7 Cross-site scripting (XSS)
6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions)
6.5.9 Cross-site request forgery (CSRF) TM server ensures all <form> have CSRF token for prevention.
6.5.10 Broken authentication and session management Theatre Manager web services uses encrypted secure cookies that are httpd-only.
6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
  • Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
  • Installing an automated technical solution that detects and prevents web-based attacks (for example web-application firewall) in front of public-facing web applications, to continually check traffic

AMS updates NGINX builds as needed (and config settings) to respond to newly reported threats.

AMS uses SPI for all web traffic internally.

6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.   SPLIT
  • Artsman: This documentation and staff training
  • Customer: Own staff training