What is PCI-DSS Requirement 5
PCI-DSS Requirement 5 requires merchants and service providers to protect all their security systems against malware, by using anti-virus software or programs that are updated regularly.
Malware includes worms, viruses, and trojans that infect the business’ network through employee emails, internet usage, and storage methods. These cyber-attacks can then damage the network through any security system vulnerabilities to either steal or leak sensitive information.
To avoid this, your business needs to install anti-virus software on all networks and devices that could be affected by malware.
PCI-DSS Requirement 5.1: Anti-virus software should be installed on all systems and networks.
The landscape of cyber security is constantly evolving. As hackers adapt to newer updates, security systems can face attacks if any vulnerabilities are discovered.
Some of the most common methods of attack are called ‘zero-days’ and are designed to exploit vulnerabilities unknown to the business. Alongside this, there will also be continuous attempts at exploiting existing vulnerabilities known to the attackers.
This is why it’s essential to install anti-virus software for all system components, especially those that are most affected by malware – usually personal computers and servers.
If you have a network-disconnected device in your company, you will not need to install anti-virus software as these will not be affected by malware.
PCI-DSS Requirement 5.1.1: Make sure that the anti-virus software is effective at detecting, removing, and protecting against malware.
Malware generally includes viruses, malicious adware, Trojans, worms, spyware, and rootkits, so you must install anti-virus software that can detect all known malware and remove it from the system so that it is fully protected.
Often, anti-virus software will implement whitelisting that prevents malware from occurring overall. However, this can be flawed as these solutions can not remove or detect malware in case any were to run.
Requirement 5.1.2: Regularly evaluate systems not frequently affected by malware to assess whether anti-virus software is needed.
Some systems, such as mainframes and middle-sized computers such as AS/400 may not frequently be targeted by malware. However, this doesn’t mean that this won’t be the case in the future.
Due to the fast-changing nature of malware, companies need to be aware of any threats by keeping track of both manufacturer security notifications and anti-virus updates.
Any new vulnerabilities that may arise should be monitored by checking malware trends and methods to combat these. This should be evaluated and stated clearly in your configuration standards and protection strategies.
PCI-DSS Requirement 5.2: All anti-virus software should be regularly updated, with periodic scans and audit logs.
Your anti-virus software will need to consistently be updated to maintain maximum effectiveness.
Periodic scans will need to be performed, with scans should be set to start automatically at certain times. These scans will need to be logged and examined.
Anti-virus software can be configured to create audit logs. These audit logs will allow your business to monitor any potential malware activity and the response of your anti-virus methods.
PCI-DSS Requirement 5.3: Ensure that anti-virus software is actively running and can’t be disabled or edited by users unless specifically authorized by management.
Your anti-virus software will need to be installed so that it can’t be disabled or edited by normal users. However, there may be occasions where the software will need to be disabled for a short period for legitimate technical needs.
In this situation, disabling the anti-virus software will need to be formally authorised by management, who will need complete clarity on the risks of vulnerabilities that may come with this process.
During this period, additional security methods will need to be put into place. This could include disconnecting the unprotected system from the internet and then performing a full scan for malware immediately after the anti-virus software has been reinstated.
PCI-DSS Requirement 5.4: Ensure that security policies and operational procedures that protect your network are documented, in use, and known to all relevant personnel.
Your staff will need to be fully trained on the security protocols and processes to ensure that the risk of malware is mitigated. From there, the employees will need to implement everything the policies and standards require.
This will need to be documented and reviewed frequently to ensure PCI-DSS compliance. Re-training may need to be put in place if members of staff do not have the appropriate knowledge of the security protocol.
Compliance as you work with Hicomply
The many components of PCI-DSS compliance can make the process quite an arduous one for businesses. This is why, at Hicomply, we aim to simply the procedure as much as possible so that your business can focus on the more important things.
Our ISMS solution is a dashboard that keeps all your relevant data and documentation in one place, so you can achieve compliance as you work! Get in touch today to receive a demo.