GRCWatch
Sign inStart free trial

PCI DSS 6.5.2: Manage Software Changes via Change Control

Custom and bespoke software changes are high-risk vectors for security vulnerabilities. PCI DSS 6.5.2 requires formal change-management procedures to govern all modifications to your organization's proprietary code. Failure to control software changes can expose cardholder data and trigger audit failures.

What this means

This control mandates that every change to custom-developed and bespoke software must follow documented change-management procedures before implementation. This includes code modifications, patches, updates, and configurations. The procedures should define who can approve changes, how testing occurs before deployment, and how changes are documented and tracked throughout their lifecycle.

How to comply

  1. 1.Document formal change-management procedures covering all bespoke and custom software modifications
  2. 2.Define change request submission requirements, including business justification and technical specifications
  3. 3.Establish approval workflows with designated reviewers before any change is implemented
  4. 4.Mandate testing in non-production environments to identify issues before production deployment
  5. 5.Create a change log recording all modifications with dates, approvers, and descriptions
  6. 6.Implement rollback procedures to quickly revert problematic changes
  7. 7.Require security review of high-risk changes before approval
  8. 8.Monitor and audit compliance with change procedures on a regular basis

Evidence auditors look for

  • Change management policy document defining roles, responsibilities, and procedures
  • Change request forms completed and approved before software modifications
  • Change log or registry showing all implemented changes with approval signatures
  • Test results demonstrating pre-production validation of changes
  • Security assessment documentation for changes affecting cardholder data handling
  • Version control system history showing code modifications and deployments
  • Rollback procedures and documentation of any reverted changes
  • Audit trails showing who approved each change and when it was deployed

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates change request workflows, approval routing, and change documentation for custom software, eliminating manual tracking and ensuring every modification is logged for audit evidence.

See how GRCWatch handles this control automatically

Start free trial

Related controls

6.2 — Ensure Software is Secure6.3.1 — Security Vulnerabilities6.5.1 — Code Injection Prevention6.5.10 — Broken Authentication8.2.1 — User Identification and Authentication