PCI DSS Requirement 5: Protect all systems against malware and update anti-virus software or programs regularly
Generally, worms, viruses, and trojans are called malware. This type of malware infects the network during business-sanctioned events such as employee email, Internet usage, cell phones, and storage devices. It can then damage systems by exploiting system security vulnerabilities or trying to steal confidential information.
Anti-virus software should be used on all devices frequently affected by malware to protect networks from existing and emerging malware threats.
PCI DSS Requirement 5.1: Install anti-virus software on all systems commonly affected by malware.
Even secure systems face regular attacks as new vulnerabilities are discovered, and new viruses continue to develop.
Today, there are methods of attack, also known as “zero-days,” that exploit previously unknown vulnerabilities. Besides, continuous attack attempts are made against systems that use existing vulnerabilities.
Malware formats can target networks, disable a network, or compromise data security checks without a regularly updated anti-virus solution.
It is necessary to install anti-virus software for all system components, which are widely affected by malware and especially personal computers and servers.
It can be said that if you have a network disconnected device in your environment, and there is no way to transmit data in or out, this system is not commonly affected by malware.
The phrase commonly affected by malware usually covers computers with the Windows operating system, but Apple Macintosh and Linux operating systems have also been frequently targeted by attackers recently.
There are fewer vulnerabilities in these operating systems than Windows. However, given the number of vulnerabilities and how often these vulnerabilities are published, they can still be considered to be widely affected.
For this reason, the vulnerabilities and CVE database should be monitored, and the extent to which related systems are affected by weaknesses should be checked regularly.
PCI DSS Requirement 5.1.1: Make sure that the anti-virus software can detect, remove and protect all known malware types.
Examples of malware types include viruses, Trojans, worms, spyware, malicious adware, and rootkits. Your anti-virus software must be protected from all types of malware. Anti-virus software should be able to detect all known malware, remove it from the system, and fully protect the system.
Some anti-virus solutions implement whitelisting to prevent malware from running in the first place. Still, often such solutions do not perform the necessary functions, such as removing or detecting malware.
Whitelist application can be a good way to define various restrictions in applications, but your anti-virus program needs to detect, remove and protect your system.
Requirement 5.1.2: On systems that are not considered to be widely affected by malware, regularly evaluate to verify whether such systems require anti-virus software.
Mainframes, middle-sized computers such as AS/400, and similar systems may not be affected or directly targeted by major attacks or malware during this period. However, the fact that a particular platform is not currently sensitive to malware does not mean that this platform will not be vulnerable tomorrow.
However, malware is constantly evolving, changing rapidly and affecting different systems, so companies need to be aware of new types of malware that can affect their systems and infrastructure.
Companies should be aware of the threats of new and evolving malware by following manufacturer security notifications and anti-virus newsgroups to keep up with this fast-changing environment.
New vulnerabilities should be monitored by tracking trends in malware, and methods for addressing new trends should be included in the company’s configuration standards and protection mechanisms as needed.
You should state that you monitor and evaluate the malware threats that develop during your anti-malware procedure, along with the methods you use.
PCI DSS Requirement 5.2: All anti-virus mechanisms should be kept up-to-date, perform periodic scans and generate audit logs.
Even the best anti-virus solutions remain limited in effectiveness without the latest security updates, signature files, or malware protection.
Audit logs allow monitoring of virus and malware activity and anti-malware reactions. Therefore, anti-virus solutions must be configured to create audit logs, and these logs must be managed according to PCI DSS requirements.
Anti-virus software and its definitions need to be kept up to date with automatic updates, and their scans should be set to start automatically after certain times. Also, anti-virus activities should be logged, and these logs should be examined.
Anti-virus software, which works continuously and whose specified settings cannot be changed, will provide permanent security against malware. Using policy-based controls on all systems to ensure that their protection cannot be changed or disabled will help prevent system weaknesses from being used by malware.
For this reason, anti-virus software should be installed so that it cannot be disabled or changed by normal users.
There may be situations where you need to disable the anti-virus mechanism for a short time and a special reason. Such situations need to be approved by management and management needs to understand the risks of vulnerabilities associated with disabling your anti-virus solution.
Also, additional security measures must be implemented while anti-virus software protection is ineffective. For example, when anti-virus protection is disabled, methods such as disconnecting the unprotected system from the Internet and then performing a full scan when reconnected.
Anti-virus software can be temporarily disabled by the authorized persons only if there is a legitimate technical need by the management. If anti-virus protection needs to be disabled for a specific purpose, formal authorization should be made to the person concerned.
PCI DSS Requirement 5.4: To protect your systems against malware, ensure that security policies and operational procedures are documented, in use, and known to all affected parties.
To ensure that networks are constantly protected from malware, staff must know, follow and enforce security protocols and processes. Your staff should implement what policies, procedures and standards require.
This documentation should be reviewed regularly to ensure compliance and the safety awareness of personnel should be measured frequently.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.