-
This requirement concerns protecting all systems commonly affected by malicious software (malware) against viruses, worms and Trojans.
Requirement 5: Protect all systems and networks from malicious software
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 14. Global state of PCI DSS compliance: Requirement 5
-
Full compliance: Full compliance improved from 82.5% to 88.4%, which is still a bit lower than its 90%-plus performance in 2015 and 2016. In relation to long-term trends, Requirement 5 consistently maintains the highest level of full compliance, together with Requirements 7 and 4.
Control gap: The improvement of the control gap doubled, with the gap reducing from a high of 9.6% to a more respectable 4.3%.
While the gap with Control 5.2 improved significantly (-4.7 pp), it remains the worst-performing control under Requirement 5.
Compensating controls: The use of compensating controls increased to 2.3%. Control 5.2 is compensated the most, but by a very small number of organizations (1.2%) with a legitimate business or technical reason for not being able to maintain all anti-malware systems.
-
Figure 15. Requirement 5 control performance
-
-
A tip on sustainable control effectiveness
Antivirus solutions are only as good as the detection technology and definitions they are running. Permit automatic updating of antivirus mechanisms and, where possible, restrict the operation of systems running outdated definitions. Integrate endpoint solutions and automate monitoring and management.
-
Requirement 5: Protect all systems and networks from malicious software
The goal
The goal of PCI DSS Key Requirement 5 is to ensure that all relevant systems across the CDE commonly affected by malicious software remain protected at all times against known and evolving malware threats with an effective anti-malware solution, and that organizational capability to respond to malware-related incidents is continuously in place and corrective action is taken in a timely manner to prevent or contain malware contamination of the CDE.
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- Technology components: This goal applies to all in-scope system components known to be affected by malware, which may include servers, employee computers, mobile computers, email systems and storage devices, including related logging, monitoring and incident response systems
- People and teams: The goal also includes the individuals and teams responsible for the deployment, monitoring and response to malware-related incidents, the training and education of end users that access any CDE system components, and third-party vendors that supply or support anti-malware and related security system components
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Capability—deployment: Create a standardized deployment and maintenance process capability for the anti-malware system to be installed and remain active on all in-scope system components, which includes a defined process for identifying in-scope components, i.e., systems commonly affected by malware
- Capability—anti-malware functions: Install anti-malware systems capable of detecting various types of malicious software to protect systems from current and evolving malware threats, including viruses, worms, Trojans, spyware, adware, ransomware, keyloggers, rootkits, malicious code, scripts and malicious links on in-scope system components, such as servers, employee computer systems, mobile computers, email systems and storage devices. It must include automated regular updates, generating alerts
- Capability—automation and monitoring: Standardize and automate the deployment and maintenance of anti-malware systems; particularly in large environments, automate the inability to disable anti-malware without management approval, and automate alerts and the ability to detect an alert when an anti-malware system is inactive on an in-scope component
- Capability—detection and response: Integrate anti-malware systems, network access control (NAC) systems and a centralized security information and event management (SIEM) system for the aggregation of security log data across CDE for normalization, analysis and effective monitoring and response
- Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Internally monitor and report adherence to procedures
Strong dependencies and integration with other key requirements
- Requirement 1: Integration with network security components, for network-based anti-malware protection
- Requirement 2: The security configuration of anti-malware system components
- Requirement 6: Integration with system hardening of components, such as NAC
- Requirement 10: Integration with logging and monitoring systems
- Requirement 11: Sufficient security testing of anti-malware systems
- Requirement 12: The risk-based re-evaluation of systems not known to be affected by malware
Short-term objectives
- Scope and automation: Implement and maintain a configuration management system for the effective, automatic identification and status synchronization and reporting of all in-scope components across the entire CDE
- Communication: Document and communicate configuration standards and implementation procedures, management and monitoring procedures for all system components across the CDE
Long-term objectives
- Improvement: Improve the integration of security and refine configurations and support processes, documentation and training, monitoring, and reporting
- Maturity: Achieve and maintain high performance of process and capability maturity on the deployment, maintenance and monitoring of anti-malware components, alerts and incident response
Common constraints
- Cost: Lack of budget to deploy and maintain advanced integrated end-point security solutions
- Competency: Lack of qualified staff to properly integrate and maintain various endpoint solutions