PCI compliance requirement 5: Antivirus

PCI compliance requirement 5: Antivirus

PCI compliance requirement 5: Antivirus

Date: Jun 01, 2009

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 5: "Use and regularly update antivirus software." To meet PCI compliance requirement 5, you must: Employ software that scans systems for malware. The compliance duo addresses common questions that they often see in their work as qualified security assessors, including, "What about UNIX, mainframes or HIPS?"

Watch the rest of the PCI compliance videos, as Diana and Ed review each requirement by itself.

Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.    

PCI compliance requirement 5: Antivirus

Ed Moyle: So, requirement five is a fairly easy one, this is “use anitvirus
software”. You probably already are. Most of the time we'll come in, we'll
see this. We'll evaluate to this, and most folks are already doing the
right thing from a technology perspective. They might need a little bit of
assistance getting to where they need to be from a documentation
perspective, but most of the time the technology for this is already in

We get a lot of questions about this though. People ask us,
"What about UNIX? What about mainframes? We have an old
Commodore 64 tucked away in the back office somewhere in a box
under the desk. Does that need to have antivirus software on
it?" The answer, obviously, is no. This requirement, it
even says in the requirement that it applies to systems that
commonly get viruses.

Diana Kelley: Windows.

Ed Moyle: Windows. It does. Point of sale systems, the same way, right? The point of
sale systems, if you have a phone based dialup, you require a
kind of a deal, one of the swiper boxes, or whatever, clearly
you don't have to use some kind of firmware or whatever that
does antivirus on that, because it's not going to get a virus.

Useful thing to point out though, if you’re using Windows as a
point of sale system for a point of sale, which a lot of folks
are, you have a point of sale application that's running on a
Windows desktop, you're going to want to use antivirus on that

Diana Kelley: Right, right, and also, although it may not be a just DSS requirements, if you do have a
lot of UNIX or using a lot of Macs inside your organization in
the payment system process, these operating systems can get
viruses. So you want to make sure that you're as protected as
possible. So, make your own assessments. Sometimes you may wish
to go beyond the standard.

Ed Moyle: One issue that comes up pretty frequently is spyware. The requirement
actually does specify that the package look for spyware. For some antivirus vendors, the spyware functionality costs extra. So make sure that the package that you use supports
looking for spyware and adware as well.

Diana Kelley: So your quick hits on antivirus are you want to get signatures
updated. Make sure that you've got it, along with spyware, on
every system that you find applicable. So you know you need
Windows, anything off of it you deem required, such as UNIX, and
then make sure that also you are looking in fact for the spyware
too and not just the antivirus.


More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

    VIDEO - Gartner analyst Avivah Litan discusses how Gartner clients are reacting to the changes in PCI DSS 3.0, and whether the increased rigor in the standard will prove beneficial to enterprises.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: