Which statement describes secure software development requirements?

• A. Develop software with focus on performance; security is optional.
• B. Develop internal and external software securely, in accordance with PCI DSS, based on industry standards and/or best practices, incorporating information security throughout the software-development life cycle.
• C. Only internal software must be developed securely.
• D. Security is optional for third-party developed software.

Answer: (B)

Secure software development means building security into every step of the software-development life cycle for all software that processes or handles cardholder data, including software from external vendors. PCI DSS requires this approach, guiding you to follow industry standards and best practices so security isn’t an afterthought but an integral part of development from planning through deployment and maintenance. This entails applying secure coding standards, threat modeling, and thorough security testing (static and dynamic analysis, code reviews), as well as proper change management throughout the lifecycle. By wiring security into both internal and external software, you reduce vulnerabilities and the risk of data exposure in the cardholder data environment.

Options that suggest security is optional or that only internal software must be secure don’t meet PCI DSS expectations and overlook the need to address third-party and externally developed software in the same secure manner.