PCI DSS Blog Series – Requirement 5

The Payment Card Industry Data Security Standard (PCI DSS) consists of nearly 400 individual controls, and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!

CompliancePoint’s PCI blog series will analyze each of the 12 Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and finally, we will provide some pro tips on becoming PCI Certified.

This week we will address Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

What does this requirement require at a high level?

In a nutshell, PCI Requirement 5 comes down to having up-to-date anti-virus software running on all systems known to be commonly affected by malware and ensuring scans are run periodically to detect and protect against possible intrusions. Log generation is also essential for reviewing possible attacks on your network.

Why is compliance with this requirement important (beyond getting certified)?

There are a variety of ways in which malicious software, or malware, can enter your network. Known exploits are constantly used in attempts to attack otherwise secured systems. Without proper anti-virus (AV) software, malware could lead to intrusions on your network and result in compromised systems and breaches in sensitive data.

Common Challenges & Tips for Success:

1. Updating software and running periodic scans
   • Having anti-virus software installed alone is not enough to ensure you are best protected against potential malware attacks. Threats are constantly changing and evolving, so it’s imperative that your software is kept up to date. Most AV solutions support automatic updating, and it’s a great idea to keep that enabled to ensure it’s able to detect the newest malware signatures.
   • Running periodic scans is equally as important as keeping your anti-virus software updated. There are many day-to-day business operations, including e-mail, the use of the Internet, mobile devices, and/or storage devices, that are potential attack vectors for malicious software to enter your network. While many AV solutions do provide a level of automatic detection, periodic scanning ensures files are thoroughly searched for all documented malware signatures. There is no specific requirement for the frequency in which scans must occur. However, best practices suggest at least daily scans for critical systems, as there are many opportunities for malicious software to enter your network. Other systems should be scanned at least weekly, but if you have the resources, daily scans should really be the goal for any system.
2. Implementing an AV management console
   • For very small environments, individual licenses or installations of AV software may be manageable. However, as your environment grows, ensuring each machine’s software is configured and scanning appropriately can become difficult. Managing all your devices under one central AV management console can alleviate much of the stress that comes with maintaining anti-virus software. Many AV providers have solutions for managing their software across all machines in your environment. A centralized console to monitor details like version numbers, scan frequencies, alerts, and logs can be a game-changer not only for compliance purposes, but also for your overall security posture.
3. Documentation of policies/procedures, technologies, and events
   • Policies/procedures
     • For any organization, the effectiveness of its controls is directly impacted by the quality of the documentation of policies, procedures, or standards that outline these controls. As with every PCI requirement, your anti-virus policies and procedures should be clearly defined and available to the appropriate personnel.
   • Technologies
     • Knowing what types of malware are protected against and how your AV software detects, removes, and protects against malicious software is important when choosing a solution that will fit your environment. AV vendors should have documentation describing the signatures it looks for, how it quarantines threats, and other configuration details. You want to make sure all common malware signatures are detected, including viruses, ransomware, Trojans, worms, spyware, adware, rootkits, and any new or emerging threats. In fact, PCI Requirement 5.1.1 calls for a review of AV vendor documentation, making it necessary for compliance purposes.
   • Events
     • Another common theme throughout the PCI DSS is the importance of logging, and there’s no difference here when it comes to Requirement 5. AV software should be configured to capture logs of events or detections. Event details such as the affected machine (IP address), source of malware, date & time, quarantine actions taken, etc., should be captured. In accordance with PCI Requirement 10.7, logs created by anti-virus solutions should have the previous 90 days immediately available, and logs from the previous year need to be obtainable for review. Generating and reviewing logs is extremely important for incident response and learning where your vulnerabilities may lie. If accurate and detailed logs are kept, you should be able to track the intrusion (or attempt) on your network and determine what mitigation should take place.
4. Use policy-based controls to disable alteration by users
   • PCI requires that all active AV mechanisms not be disabled or altered by normal users, unless specifically authorized. Typically, this can be accomplished with policy-based controls. Depending on your AV provider, there may be a setting in your management console which will disable any alterations by users. Otherwise, this could also be accomplished with Windows Policy controls by requiring administrative access before altering any software.

Common Questions:

1. What are “systems commonly affected by malware”?
   • In general, “systems commonly affected by malware” typically refers to machines running Windows operating systems. Mac OSX and desktop versions of Linux can sometimes be considered vulnerable to malware as well. For PCI purposes, it is up to the organization to evaluate whether any excluded systems require the use of anti-virus software. Windows machines cannot be considered as systems not commonly affected by malware.
2. If our environment is all Linux (or Unix-based), does Requirement 5 still apply?
   • Yes. Even if there are no Windows machines in your environment, there are still controls that should be in place to ensure ALL machines are adequately protected against malware. As mentioned previously, it is up to each organization to determine whether systems excluded from required anti-virus software warrant its use. This must be done on a periodic basis (at least annually) and must consider any emerging or evolving threats. Periodic notices from vendors or anti-virus bulletins should be reviewed to be aware of any new malware that could impact the security of your non-Windows operating systems. Your reviews should be accurate and consider all possible threats and best practices to identify which systems may need anti-virus software. For example, if there is a web-facing Linux server in your environment, you may want to consider installing AV software.
3. What if there’s malware without a signature recognized by my AV software?
   • There is new malicious code being created and deployed every single day. Updating your AV software will allow for the newest known signatures to be detected, which should provide detection for the vast majority of malicious software. This is also known as “signature-based detection.” However, there is some malware whose signature cannot be detected by the AV software or is too new for the solution to have identified its signature. This is where “behavioral-based detection” comes in and provides even more defense against malware. Behavioral-based detection doesn’t look specifically at the piece of malicious software itself, but how it behaves or interacts with the environment. Suspicious activity such as the high use of resources, unusual hours in operation, or atypical requests for logins, connections, etc., could be signs of malicious software on your network. If this malicious piece of software has an unknown signature, behavioral-based detection should be able to detect the unusual behavior and identify it as malware. Many AV solutions today have a mix of signature-based and detection-based mechanisms. As previously mentioned, it is important for you to know what detection mechanisms and signatures your AV software includes. 
4. What would I typically need to provide for Requirement 5 in a PCI assessment?
   • There are a few different types of documents that would be reviewed as evidence to validate compliance with PCI Requirement 5. As with every requirement, policies and procedures are a must. They should accurately reflect your organization’s actual methods and standards and should be reviewed and updated at least annually. If in use, your anti-virus management console should be able to provide evidence for many of the technical requirements in Requirement 5. You should be able to provide evidence, typically screenshots, of AV software installed AND running on each required system. Additionally, the update and scan schedule should be easily viewed and will need to be provided as evidence as well. AV vendor documentation and software configurations are also assessed to ensure adequate detection of malware. Again, without a central console, this may be difficult to go to each machine and grab all of this information. As discussed, AV logs are essential for compliance purposes as well as overall good security posture. For a PCI assessment, you need to ensure logs going back 90 days are available for immediate review. Logs must also be retained and accessible for up to one year, so be thinking about long-term storage. The last piece of technical documentation required for Requirement 5 is evidence (usually a screenshot) of policy controls that disallow normal users to disable or alter AV software. There are, of course, nuances to every assessment, but typically, this is the type of evidence you should be able to provide to show your organization’s AV controls.

Conclusion

Adequate malware prevention can be vital to protect against many possible attack vectors that could be exploited throughout day-to-day operations. Following PCI Requirement 5 should provide your organization with an effective set of controls to protect your cardholder data environment from malware. Appropriate monitoring and management are critical to ensure PCI compliance and a strong security posture. For those considering PCI compliance, evaluate whether or not your AV software fulfills your organization’s needs as well as PCI Requirements. Start thinking about the necessary documentation and verify it accurately reflects your organization’s IT Security controls and procedures.

Check Out Other Posts in this Series

• PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• PCI DSS Requirement 3: Protect stored cardholder data
• PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
• PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• PCI DSS Requirement 6: Develop and maintain secure systems and applications
• PCI DSS Requirement 7: Restrict access to cardholder data by business need to know
• PCI DSS Requirement 8: Identify and authenticate access to system components
• PCI DSS Requirement 9: Restrict physical access to cardholder data
• PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
• PCI DSS Requirement 11: Regularly test security systems and processes
• PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel

CompliancePoint is a Qualified Security Assessor Company (QSAC). Our consultants have decades of experience as practitioners and auditors. Please reach out to us at connect@compliancepoint.com if you have any questions about this requirement or how CompliancePoint can assist your organization with preparing for your PCI DSS Certification.