GRCWatch
Sign inStart free trial

PCI DSS 6.2.3: Code Review Prior to Production Release

PCI DSS 6.2.3 requires all custom and bespoke software to undergo security review before going live. This control prevents vulnerable code from reaching production and is critical for protecting cardholder data. Implementing a structured code review process is essential for PCI compliance and reducing breach risk.

What this means

This control mandates that organizations establish and enforce a process requiring all custom-developed and bespoke software applications to be reviewed for security vulnerabilities before they are deployed to production environments. The review must identify and correct potential weaknesses that could compromise payment card data security.

How to comply

  1. 1.Define a formal code review policy applicable to all custom software development
  2. 2.Document the review process including scope, approval workflows, and vulnerability assessment criteria
  3. 3.Assign qualified reviewers with security knowledge to examine code before deployment
  4. 4.Use automated security scanning tools to identify common vulnerabilities and coding flaws
  5. 5.Require manual code review by at least one independent reviewer not involved in development
  6. 6.Document all identified vulnerabilities and remediation actions taken
  7. 7.Maintain records proving code was reviewed and approved before production release
  8. 8.Train development teams on secure coding practices and PCI DSS requirements
  9. 9.Establish a sign-off process requiring documented approval from authorized personnel

Evidence auditors look for

  • Code review policy document dated and signed by management
  • Peer review documentation showing code reviewer names, dates, and findings
  • Automated vulnerability scan reports from tools like SAST platforms
  • Change management tickets showing code review approval before production deployment
  • Developer training records on secure coding and code review procedures
  • Vulnerability remediation logs showing issues found and corrected
  • Production deployment approvals requiring code review sign-off
  • Version control system logs showing code review comments and approvals

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates code review tracking and approval workflows, creating auditable evidence of pre-production reviews that satisfies PCI DSS 6.2.3 audit requirements without manual spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 6.2.1 — Establish secure development processesPCI DSS 6.2.2 — Remove development, test, and debugging codePCI DSS 6.2.4 — Document security changesPCI DSS 6.3 — Develop and test secure software