PCI DSS 6.3.3: Install Applicable Security Patches
Security patches are your first line of defense against exploited vulnerabilities. PCI DSS 6.3.3 requires all system components to be protected from known security threats through timely patch installation and updates. Failing to patch systems leaves your cardholder data environment exposed to preventable breaches.
What this means
Control 6.3.3 mandates that organizations implement a systematic approach to identifying, testing, and deploying security patches across all system components in the cardholder data environment. This includes operating systems, applications, databases, and firmware. The control requires patches to be applied promptly to address known vulnerabilities and reduce the attack surface. Patches must be installed on both production and non-production systems to maintain a consistent security posture.
How to comply
- 1.Establish a patch management policy that defines the process for identifying, testing, and deploying patches
- 2.Create a system inventory documenting all components that require patching (servers, workstations, network devices, applications)
- 3.Subscribe to vendor security bulletins and vulnerability databases to identify applicable patches
- 4.Test patches in a non-production environment before deploying to production systems
- 5.Document patch deployment with timestamps, versions applied, and systems affected
- 6.Prioritize critical and high-severity patches for expedited deployment within defined timeframes
- 7.Maintain a remediation schedule for patches that cannot be immediately deployed with documented risk acceptance
- 8.Monitor for and address patches across the entire technology stack, not just operating systems
Evidence auditors look for
- Patch management policy document with defined approval and deployment procedures
- System inventory with patch status and last update dates for each component
- Vendor security bulletin subscriptions and monitoring logs
- Patch deployment records showing installation dates and affected systems
- Test environment patch logs documenting pre-production validation
- Change management records linking patches to deployment approvals
- Vulnerability scan reports showing patch compliance status
- Remediation plans for unpatched systems with risk justifications
- Automated patch management tool dashboards or reports
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers unpatched systems across your infrastructure, tracks patch deployment status in real-time, and generates compliance evidence for PCI DSS audits—eliminating manual patch inventory work.
See how GRCWatch handles this control automatically
Start free trial