PCI Requirement 5 - Update and Scan

This is the fifth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To read the previous posts in this series, click on the links below:

PCI Requirement 1

PCI Requirement 2

PCI Requirement 3

PCI Requirement 4

*Requirement 5 – Protect all systems against malware and regularly update anti-virus software or programs*

Requirement 5 is the start of the Vulnerability management program section of the PCI requirements. This requirement used to be known as the “Windows AV” requirement but it has developed into much more. It seems simple enough, put AV on the endpoints in your PCI environment and make sure they scan and update regularly. That should be commonplace this day in age, but I assure you it's still a weak area in some cases. With the number of tools available and the constant reminders in the news and even on your computer itself, this should be an easy requirement to meet. Requirement 5 really pushes to make sure your AV/Malware tools are enabled, configured properly, updating regularly and scanning for the appropriate malware and viruses.

Companies that require PCI Compliance face some familiar challenges within this requirement:

1. Ensure all the AV Tools are Updated - Manage the AV system and tools to have updates as close to real-time as possible. IT or Security may own this but needs to be vigilantly monitored as new threats come out all the time.
2. Proper Configuration – This is to ensure that the end-user cannot disable or turn of the Anti-virus/Anti-malware protection. The difficulty here is often seen when a company does not have a central AV system to properly control the endpoints.
3. The Requirement - This last challenge really comes from the PCI Council. This requirement on its own is a bit old in its thinking as there should be much more to this control than AV. With NextGen AV and Endpoint Detection and Response tools flooding the market, it makes for a case that traditional AV may be pushed off into the sunset. There is more to it now than just viruses.

These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!