Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
January 12, 2023 - Tech Evangelist
Hackers frequently target payment card industry (PCI) data. To help protect against this, compliance regimes like the PCI Data Security Standard (PCI DSS) were put in place to protect cardholder data wherever it is processed or stored.
PCI DSS includes several requirements that were designed to help protect cardholder data, including specific recommendations when it comes to vulnerability patching. Within the application security guidelines, PCI DSS informs organizations of the timeline for addressing any known vulnerabilities that emerge within the technology that supports payment transactions and stores payment data.
In this article, we’ll look at the PCI DSS requirements for patching and outline what you can do to meet these requirements, even when patching is tough.
The latest PCI DSS standard, PCI DSS version 4.0, was released at the end of March 2022 (though PCI DSS version 3.2.1 will stay active until March 2024). Aside from a few changes, the patching requirements remain similar in PCI DSS 4.0 and, for the purpose of this article, we’ll refer to version 4.0 of the standard.
No matter which version you refer to, you’ll find the substance of requirements around patching in Section 6, which contains the specification for developing and maintaining secure software and systems. In PCI DSS 4.0, the section that touches on patching is 6.3: “Security vulnerabilities are identified and addressed”.
Patching receives a few mentions in Section 6.3, but the pertinent requirement lies in point 6.3.3. Here, PCI DSS requirements state that:
All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).
In summary, to remain PCI DSS compliant, critical patches need to be applied within a month of patch release, whereas less critical patches must be applied within three months of patch release. Criticality as defined in Section 6.3.1 comes down to a mix of what the vendor says, independent security reports, and the CVSS score.
PCI DSS puts a hard requirement on patching timelines. Covered organizations that fail to meet these requirements will be found non-compliant.
Each organization takes its own approach to patching timelines – even if, in practice, the timeline essentially comes down to ASAP. An independent standard, such as PCI DSS, however, sets fixed requirements that could be tough to meet within your existing cybersecurity practices.
Depending on the source you refer to, the typical time it takes to patch can be anywhere from two months to five months and organizations commonly struggle to meet patching timelines. The reality of patching can easily conflict with PCI DSS requirements. Failure to deploy a patch quickley enough can end up leading to a fine – or worse.
Some of the steps your organization can take to reduce the time to patch and to stand a better chance of staying PCI DSS compliant include:
To meet patching requirements, including those in PCI DSS, you really need all hands on deck. This includes deploying all technology solutions at your disposal – from vulnerability scanning through to live patching.
Patching receives a mention in a couple of other PCI DSS requirements. For example, 1.2.5 points to the need to identify technology services that are active and available and verify that each of these services has a defined business need. Unused services are often forgotten about and, as a consequence, left unpatched and vulnerable.
Likewise, Section 11.3 refers to the need to scan externally facing devices and ensure that any vulnerabilities found are patched or otherwise remediated. There are a few minor mentions in the various appendices to the standard too.
Failing to meet the patching deadlines set in PCI DSS Section 6.3 means non-compliance with the PCI DSS standard. An organization covered by PCI DSS requirements will be subject to heavy fines if it is found to be non-compliant.
There’s also the risk that inadequate patching will lead to a breach – which can involve massive cleanup costs and even business closure.
At TuxCare, we can accelerate your patching approach and make it significantly easier to attain and maintain PCI DSS compliance.
With our live patching solutions, your systems will receive the latest Linux vulnerability patches as soon as they’re made available. With TuxCare, patches are deployed automatically in the background while systems are running, without your team needing to schedule a maintenance window or reboot.
TuxCare live patching covers you for the most popular enterprise Linux operating systems as well as commonly-used open-source libraries and databases – and even virtualization environments too. Read more about TuxCare’s range of live patching solutions here.
Learn About Live Patching with TuxCare
Regulations and standards guide companies toward a consistent cybersecurity response....
Anyone that’s committed to a five-nines mandate will dread the...
Cybersecurity insurance policies are considered by many to be a...
It’s the making of a horror film: a cyberattack that...
As expected, 2022 was a tough year for cybersecurity, with...
To meet organizational requirements, compliance mandates, and regulatory requirements, Managed...