Requirement 6: Develop and Maintain Secure Systems13.1 Requirement 6.1: Patch-Management Practices for PCI Compliance13.1.1 Patch Management for PCI Compliance13.1.2 Approaches to Patching and Patch Management13.1.2.1 Change-Management Process of System Patch Deployment13.1.3 Risk-Based Approach to Patch Management13.1.4 Assessor’s Notes for Verifying Patch-Management Practices13.2 Requirement 6.2: Vulnerability-Management Practices for PCI Compliance13.3 Secure Application Development Practices for PCI-DSS and PA-DSS13.3.1 Requirement 6.3: Secure SDLC for Application Development13.3.1.1 The Risk-Assessment Approach to Secure SDLC13.3.1.2 Requirement 6.3.1: Removal of Default User Accounts, IDs, and Passwords13.3.1.3 Requirement 6.3.2: Custom Code Review for Security13.3.2 Requirement 6.4: Application Change Management and Change Control13.3.2.1 Requirement 6.4.5: Change-Management Document and the Essentials of Change Control and Change Management13.3.2.2 Requirements 6.4.2 and 6.4.3: Separation of Production, Development, and Test Environments13.3.2.3 Requirement 6.4.3: Use of Live PANs for Testing13.3.2.4 Requirement 6.4.4: Removal of Test Data in Production13.4 Requirement 6.5: Secure Coding Guidelines for Applications13.4.1 Secure Coding Guidelines: References and Best Practices13.4.2 Requirement 6.5.1: Secure Coding to Address Injection Flaws13.4.2.1 SQL Injection13.4.2.2 XPath Injection13.4.2.3 LDAP Injection13.4.2.4 Command Injection13.4.3 Requirement 6.5.2: Secure Coding to Address Buffer Overflows13.4.4 Requirement 6.5.3: Secure Coding to Address Cryptographic Flaws13.4.4.1 Cryptography Essentials13.4.5 Requirement 6.5.4: Secure Coding to Address Insecure Transmissions13.4.5.1 The SSL/TLS Handshake Process13.4.5.2 Implementation Best Practices for Secure Transmission: Web Applications13.4.6 Requirement 6.5.5: Secure Coding to Address Improper Error Handling13.4.7 Requirement 6.5.6: Remediation Measures to Address High-Severity Vulnerabilities13.4.8 Requirement 6.5.7: Secure Coding to Address Cross-Site Scripting13.4.8.1 Reflected XSS13.4.8.2 Persistent XSS13.4.9 Requirement 6.5.8: Secure Coding to Address Flawed Access Control13.4.9.1 Session Hijacking13.4.9.2 Cross-Site Request Forgery13.4.9.3 Session Fixation13.4.9.4 Forceful Browsing13.4.10 Requirement 6.5.9: Secure Coding to Address Cross-Site Request Forgery13.5 Ongoing Vulnerability-Management Practices for Web Applications13.5.1 Web-Application Vulnerability Assessments13.5.2 Usage of a Web-Application Firewall13.6 Summary