To develop PCI-compliant internal and external software applications, it is your responsibility to implement practices that are in accordance with the PCI DSS and other industry-standard best practices. PCI Requirement 6.3 also requires that you incorporate information security throughout the software development lifecycle (SDLC). In an AWS environment, too many customers do not meet compliance with PCI Requirement 6.3 because they do not understand the Shared Responsibility Model and mistakenly rely on AWS’ PCI compliance. Your software development practices are your responsibility. AWS explains, “It is the customer’s responsibility to ensure proper testing, validation, and approval occurs, whether manual or automated, at each stage of the software development lifecycle to satisfy the requirements under PCI Requirement 6.3.”

You can leverage developer tools on AWS to meet this requirement, like AWS CodeStar, AWS X-Ray, AWS CodeCommit, AWS CodePipeline, AWS CodeBuild, or AWS CodeDeploy. To learn more, visit the AWS documentation on developer tools. 

PCI Requirement 6.3 says that you are responsible for developing internal and external applications that are in accordance with the PCI DSS and other industry-standard best practices when it comes to application or software development. A lot of times during the PCI validation phase, people will claim that they are PCI compliant because they will hand off the AWS PCI AoC. They’ll say, “AWS is PCI compliant, so therefore our application that is hosted within AWS is compliant.” But that is not the case. AWS is responsible for providing the PCI requirements and the compliance with those for the infrastructure, and they provide you with a lot of the capabilities that you can utilize to create that PCI-compliant environment. But when it comes to the software development that your company does and the applications that you are deploying to your clients, you are responsible for developing those according to those standards and best practices. 

We will want to see that you have a formal, written software development lifecycle policy. What type of documentation do you have that guides your developers in the way that they develop? Does that document or policy talk about industry-standard methodologies? Does it talk about OWASP? Does it reference the PCI DSS and that you’re striving to comply with the requirements within that? As you focus on your methodologies and your standards, be sure that you have good documentation and that you are referencing third-party standards. 

You want to ensure that you comply with PCI Requirement 6.3.1, which says that you remove test accounts and passwords and test data from your testing environment before it is deployed to production. For your build pipeline, you might reference within your policies that you utilize the various AWS features that are available. They have tools that all start with the word “code” that might relate to this section. They’ve got CodeDeploy, CodeBuild, CodePipeline, and CodeStar. You might reference some of these tools within your documentation or policies to demonstrate the things that you’ve implemented to ensure that you are complying with PCI Requirement 6.3.