Skip to content
Back to Security Journey Blog

What You Need To Know About Secure Coding Training for PCI DSS v4.0 Requirements

What You Need To Know About Secure Coding Training for PCI DSS v4.0 Requirements
Compliance & Regulations

Jul. 27, 2023

Published on

The latest version of the Payment Card Industry Data Security Standard (PCI DSS), version 4.0, was released in March 2022. Although the requirements won't take effect until 2025, it's crucial to start preparing now.  

Read More About PCI Training: Free vs. Paid PCI Training: Which Is Best For Your Organization? 

This article will focus on PCI DSS v4.0 requirements 6.2.2, 6.2.3, and 6.2.4 and how secure coding training can help you meet them. 

 

What You Need to Know About PCI DSS v4.0 

The PCI DSS is a set of security requirements that organizations must meet when storing, processing, or transmitting cardholder data. The PCI DSS is designed to help organizations protect cardholder data from unauthorized access, use, disclosure, modification, or destruction. 

PCI DSS v4.0 was released in March 2022 and is the most significant update to the standard since its release in 2006. PCI DSS v4.0 introduces several new requirements and updates to existing requirements. 

The newest version of PCI DSS has not been immediately implemented; PCI has released a timeline for implementation requirements: 

PCI DSS v4.0 timeline

Note that organizations that have already been assessed as compliant with PCI DSS 3.2.1 will be granted a one-year grace period to comply with PCI DSS 4.0. This means these organizations will not need to be re-assessed until March 31, 2025. 

Here are some of the key changes in PCI DSS v4.0: 

  • Increased Focus on Security as a Continuous Process - PCI DSS v4.0 emphasizes the importance of organizations taking a risk-based approach to security and implementing security controls continuously. 
  • More Flexibility and Customization - PCI DSS v4.0 allows organizations to use a customized approach to meet the standard's requirements. This means that organizations can choose the security controls that are most appropriate for their specific needs. 
  • Enhanced Validation Methods and Procedures - PCI DSS v4.0 includes new validation methods and procedures that will help organizations to demonstrate their compliance with the standard. 

Read More About PCI Training: 6 Steps To Facilitate PCI DSS Awareness Training 

 

What PCI DSS v4.0 Says About Secure Coding Training 

Many updates and new requirements in PCI DSS v4.0 can be met with continuous secure coding training for your SDLC. 

Secure coding training typically covers topics such as common software vulnerabilities, secure coding best practices, and how to use security tools and techniques to find and fix vulnerabilities in software. It may also cover specific programming languages and frameworks and how to write secure code in those contexts. 

Read More About Secure Coding Training: What Is Secure Coding Training? 

Let’s look at how secure coding training can help meet PCI DSS 6.2.2, 6.2.3, and 6.2.4: 

 

Secure Coding Training for PCI DSS v4.0 6.2.2 

PCI DSS v4.0 6.2.2 states: 

“Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.” 

This means that software development personnel are trained annually on: 

  • Software security relevant to their job function and development languages 
  • Secure software design and secure coding techniques 
  • How to use the tools for detailed vulnerabilities in software 

More specific guidelines have been given in PCI DSS v4.0 on how developers should be trained. The training guidelines (stated above) can be easily achieved when you partner with a secure coding training partner for a continuous secure coding training program. 

A yearly OWASP Top 10 training will only meet some of the requirements outlined in 6.2.2, and depending on your organization, you may need a solution to meet different languages, technologies, and frameworks in addition to common vulnerabilities and tools. 

 

Secure Coding Training for PCI DSS v4.0 6.2.3 

PCI DSS v4.0 6.2.3 states: 

“Having code reviewed by someone other than the original author, who is both experienced in code reviews and knowledgeable about secure coding practices, minimizes the possibility that code containing security or logic errors that could affect the security of cardholder data is released into a production environment. Requiring management approval that the code was reviewed limits the ability for the process to be bypassed.” 

This means that software is supposed to be reviewed before being released into production to identify correct potential coding vulnerabilities as follows: 

  • Code reviews ensure that code is developed according to secure coding guidelines 
  • Code reviews look for both existing and emerging vulnerabilities 
  • Appropriate corrections are implemented before the release 

Code reviews are a common practice within the code development process; according to a recent EMA report, 95.3% of organizations utilize code reviews for secure coding.  

Read More About Code Reviews: How To Improve Your Code Reviews 

But how do you ensure your code reviews are effective and that your reviewers can detect existing and emerging vulnerabilities? The answer is to train your employees tasked with code reviews continually. The key you should know about code reviews – the review is only as good as the reviewer. 

Secure coding training can improve code reviews by providing developers with the knowledge and skills to write more secure, higher-quality code. By doing so, developers can reduce the number of security issues that need to be identified and corrected during code reviews, making the process more efficient and effective. 

 

Secure Coding Training for PCI DSS v4.0 6.2.4 

PCI DSS v4.0 6.2.4 states: 

“Bespoke and custom software cannot be exploited via common attacks and related vulnerabilities.” 

This means that software engineering techniques should be used to prevent or mitigate common software attacks, including: 

  • Injection Attacks 
  • Attacks on Data Structures 
  • Attacks on Cryptography Usage 
  • Attacks on Business Logic 
  • Attacks on Access Control Mechanisms 
  • Attacks via “High-Risk” Vulnerabilities 

It may seem pretty straightforward to say, ‘Don’t let your code be exploited,’ but what this requirement comes down to is the ability to show that your organization did what it could to prevent your code from being exploited by common attacks (aka OWASP Top 10). 

The best way to learn how to prevent exploitations and attacks is through – you guessed it – continuous secure coding training. Hands-on training activities will help your developers learn the theory behind preventing attacks and practice breaking and fixing code to better understand how code can be exploited. 

 

It’s Never Too Early To Meet PCI Requirements 

By leveraging Security Journey's training platform, organizations can drive PCI training success by providing highly effective, engaging, and customizable training programs that enable employees to learn and apply the best practices for securing payment card information. 

If you’re ready for your next step, contact our team today to learn how secure coding training can be the foundation of an effective application security program at your organization.  

 

Read more from:

Secure Coding Report