GRCWatch
Sign inStart free trial

PCI DSS 6.2.1: Develop Software Securely

Custom and bespoke software is a critical attack vector for payment systems. PCI DSS 6.2.1 requires that all software development follows documented security standards to prevent vulnerabilities before deployment. Compliance means establishing processes, training developers, and enforcing code reviews throughout your development lifecycle.

What this means

PCI DSS 6.2.1 mandates that any custom or proprietary software developed by your organization—including internal tools, integrations, and payment-facing applications—must follow established secure development practices. This includes using secure coding standards, implementing secure design principles, and maintaining documentation of development processes. The control applies whether development is done in-house or by third-party vendors on your behalf.

How to comply

  1. 1.Document a secure software development standard or policy that covers all custom development activities
  2. 2.Train all developers on secure coding practices and OWASP Top 10 vulnerabilities
  3. 3.Implement code review processes before software moves to production
  4. 4.Use static application security testing (SAST) tools to identify vulnerabilities early
  5. 5.Require security testing and validation before release
  6. 6.Maintain version control and change management for all custom code
  7. 7.Document the development process, including who develops, reviews, and approves changes
  8. 8.Extend requirements to third-party developers contracted to build software on your behalf

Evidence auditors look for

  • Secure Software Development Standard document signed and dated
  • Developer training records and course completion certificates
  • Code review checklists and peer review documentation
  • SAST tool scan reports showing vulnerability identification and remediation
  • Security testing results and vulnerability remediation logs
  • Git/version control logs showing code commits and change approvals
  • Development process documentation with roles and responsibilities
  • Third-party developer agreements including secure development requirements

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates secure development tracking by centralizing code review documentation, SAST scan results, and training records in one compliance-ready dashboard—eliminating manual spreadsheets and reducing audit preparation time.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 6.2 — Ensure Security of Bespoke and Custom SoftwarePCI DSS 6.3 — Security Testing Before Release to ProductionPCI DSS 6.4.1 — Removal of Test Data Before ProductionPCI DSS 6.5 — Common Coding Vulnerabilities