Warning: Complacency With Your Vulnerability Management Program Can Hurt Your Organization

By definition, a computer virus is: a malicious application or authored code used to perform destructive activity on a device or local network. The code’s malicious activity could damage the local file system, steal data, interrupt services, download additional malware, or any other actions coded into the program by the malware author. Many viruses pretend to be legitimate programs to trick users into executing them on their device, delivering the computer virus payload.

Welcome back to the our series, The Ultimate Guide On Managing PCI DSS Requirement Frequencies. This week we’re unpacking PCI DSS Requirement 5, “Protect all systems against malware and regularly update anti-virus software or programs”

Within the type space of Requirement 5, a merchant company has an implicit duty to maintain vigilance against all malware that could impact their business, their employees, and their customers on a daily basis. Complacency in outdated virus signatures, unpatched anti-virus management consoles, etc., could have a devastating impact on a merchant company.

When this requirement was first written, it was geared towards operating system types “commonly affectedly malicious software.” When I was in PCI ISA training, my trainer referred to this as the “Microsoft Requirement.” In later DSS versions, the systems not commonly affected by malware were required to be risk assessed periodically to continue “to not require anti-virus software.”

As we take a look inside Requirement 5, keep in mind this requirement and its sub-requirements are part of your organization’s overall Vulnerability Management program. Anti-Virus is just one aspect that if ignored or left out-dated can cause numerous headaches or worse, can be compromised and used as an attack vector by both internal and external threat actors.

Five Best Practices To Stay On Your Toes With PCI DSS Requirement 5

Not only does your organization need a robust anti-virus technology, it needs to be deployed on all assets commonly affected by malware. For the purposes of PCI DSS Assessment, your QSA will only be assessing assets in the cardholder data environment.

  1. Know and understand your scope for this requirement. You must have an accurate and up-to-date asset list, including all your servers and user devices that are commonly affected by malicious software.
  2. You must have the most current and up-to-date vendor documentation for your anti-virus technology.
  3. Your anti-virus technology must detect, remove, and protect against all known malicious software. Examples of malicious software include
    • Viruses (boot sector, web scripting, browser hijacking, etc.)
    • Trojans
    • Worms
    • Spyware
    • Adware
    • Rootkits

Examples of widespread viruses include:

    • Morris Worm
    • Nimda
    • ILOVEYOU
    • SQL Slammer
    • Stuxnet
    • CryptoLocker
    • Conficker
    • Tinba
    • Welchia
    • Shlayer
  1. At least twice a year (quarterly is better) risk assess systems not commonly affected by malware (i.e. Unix based systems) against evolving threats to ensure anti-virus software is not required.
  2. Ensure that your anti-virus team is current and up-to-date on all known malicious software and threat vectors, and that your organization has a solid incident response plan in the event a new virus breaches your network.

Frequency Requirements in PCI DSS Requirement 5

Without explicit stating a frequency, requirement 5 uses words such as “current” and “up-to-date.” Anti-virus vendors provide the daily updates to known malware; however, it’s on the organization to ensure the systems that the anti-virus software is running on are working, at appropriate OS versions, and up-to-date with security patches.

Per PCI DSS 5.2, anti-virus mechanisms must perform periodic scans. There’s an implied frequency here that your organization must configure in the AV settings. Best practice – weekly scans if not daily.

In PCI DSS 5.2.d, there’s a loop to PCI DSS 10.7 which has a frequency requirement. Your organization’s anti-virus system must maintain 90 days of immediate logs and your organization must maintain 12 months of archived logs.

While PCI DSS Requirement 5 does not have pages of sub-requirements with frequencies, the systems that run anti-virus software for your organization are in scope and must meet all applicable PCI DSS Requirements and their frequencies.

Remember – while this requirement area may seem “easy” because much of it is automated by your anti-virus vendor, your organization must remain vigilant to emerging threats and keep the systems running anti-virus safe and secure. 

Don’t miss our next installment on PCI DSS Requirement Frequencies.

Our next article in this series will be on Requirement Area 6: Develop and maintain secure systems and applications. Requirement area 6 contains components of a robust Vulnerability Management program as well as a number of frequencies that must be met in order to keep your cardholder data environment secure.

Upcoming Events You Don’t Want to Miss!

December 14, 2021: The Anatomy of a PCI DSS Requirement. Attend this event and receive 1 CPE towards your CISA, CISM, or even your PCI-P credential. ISACA NE members $10; non members $15.


Register Today for The Anatomy of a PCI DSS Requirement!

Leave a Reply

Your email address will not be published.

%d bloggers like this: