PCI DSS Requirement 5: Protect All Systems and Networks from Malicious Software
Malicious software, also commonly known as malware, is any software or firmware specifically designed to cause damage to, or penetrate the security systems of, a computer system without consent. Malware has the sole intent of compromising the system’s data, applications, or operating system. Common examples of malware include viruses, worms, Trojans, spyware, ransomware, keyloggers, and other malicious code.
Because of how damaging this malicious software can be to devices, companies should follow best practices to prevent the likelihood of it entering any company systems.
Malware can enter the network through a range of day-to-day business activities, including employee email (for example, via phishing), internet use, and storage devices, resulting in the exploitation of system vulnerabilities.
Using anti-malware solutions that address all types of malware helps protect systems from current and evolving malware threats.
For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.
Requirement 5 Details and Sections
Requirement 5 is broken up into four sections that detail the procedures merchants must follow to reduce the risks of malware entering and harming their systems.
- Requirement 5.1: Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
- Requirement 5.2: Malware is prevented, or detected and addressed.
- Requirement 5.3: Anti-malware mechanisms are active, maintained, and monitored.
- Requirement 5.4: Anti-phishing mechanisms protect users against phishing attacks.
Requirement 5.1: Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
Just like many other sections of the PCI DSS framework, one of the most important ways identified for keeping systems secure is to ensure that processes are documented and understood by all impacted employees. One way to ensure this happens is confirming that those involved in the procedures sign off on the policies to acknowledge their understanding.
Defined approach requirements include:
- Requirement 5.1.1: All security policies and operational procedures identified in Requirement 5 are documented, up-to-date, in use, and known to all affected parties.
- Requirement 5.1.2: Roles and responsibilities for performing these activities are documented, assigned, and understood.
Requirement 5.2: Malware is prevented, or detected and addressed.
Anti-malware software is a common solution to detect and prevent malware that can compromise company devices. It is important for companies to choose all-encompassing malware that frequently updates and evolves to newly discovered threats, and that can attack and remove such threats quickly if they enter systems.
Defined approach requirements include:
- Requirement 5.2.1: Anti-malware solutions are deployed on all systems, except for those systems identified per Requirement 5.2.3 as system components that are not at risk from malware.
- Requirement 5.2.2: Deployed anti-malware solutions detect, and remove or block all known types of malware.
- Requirement 5.2.3: All system components not at risk for malware are evaluated periodically to include:
- A documented list of all system components not at risk for malware.
- Identification and evaluation of evolving malware threats for those system components.
- Confirmation that such systems continue to not require anti-malware protection.
Requirement 5.3: Anti-malware mechanisms are active, maintained, and monitored.
As mentioned in Requirement 5.2, anti-malware software must be maintained in order to be effective at detecting and removing malware from systems. This software must have the latest security updates and protections to ensure full protection of systems. The easiest way to achieve this is through automatic updates and periodic scans of systems.
Scans should include all systems and software in the cardholder data environment (CDE), including those that are often overlooked such as email servers, web browsers, and instant messaging software.
Defined approach requirements include:
- Requirement 5.3.1: Anti-malware solutions are kept current via automatic updates.
- Requirement 5.3.2: These anti-malware solutions must perform periodic scans and active, real-time scans, or continuous analysis of systems or processes.
- Requirement 5.3.3: For removable devices, the anti-malware solutions perform automatic scans when the media is inserted, connected, or mounted.
- Requirement 5.3.4: Audit logs for the anti-malware solutions are enabled and retained in accordance with Requirement 10.5.1.
- Requirement 5.3.5: Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.
Requirement 5.4: Anti-phishing mechanisms protect users against phishing attacks.
Technical controls can significantly limit the chances employees will have to decide whether an email they receive could be part of a phishing attack. A good practice is to consider several security approaches, including Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM).
The defined approach requirement is:
- Requirement 5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.
How Basis Theory can help you Satisfy PCI DSS Requirement 5
Securing cardholder data in a CDE satisfies many PCI DSS requirements and provides companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.
*PCI DSS Requirement information contained in this post is for educational purposes only and references material from the guide "Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0" published by the PCI SSC in March 2022. Please refer to the PCI Security Standards Council website for the complete, up-to-date, accurate requirements.