The threat landscape is constantly changing; the trends for malware can change quickly, so it’s vital for your organization that PCI Requirement 5.1.2 is met. This requirement goes a step further than PCI Requirement 5.1. PCI Requirement 5.1.2 states, “For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.” Just because a certain platform isn’t susceptible to malware today, doesn’t mean it won’t be vulnerable tomorrow.
As part of your anti-virus program, you need to decide how to measure and look at the threat model of the industry. The PCI DSS states, “Trends in malicious software should be included in the identification of new security vulnerabilities, and methods to address new trends should be incorporated into the company’s configuration standards and protection mechanisms as needed.” Your anti-virus program should be able to provide an assessor with evidence that personnel monitors and evaluates evolving malware threats.
If you have systems that are not commonly affected by malware, you assessor should be asking for evidence or an artifact to demonstrate that you constantly assess these systems and compare them to developing malware threats. The systems not commonly affected need to be identified in order to prepare for future attacks. The PCI DSS also states, “Interview personnel to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, in order to confirm whether such systems continue to not require anti-virus software.”
When we talk about Requirement 5 and the PCI DSS 5.1, it says that those systems that are commonly affected by malware should have some type of antimalware solution installed. That is not going to be the situation forever. Just because a certain platform today doesn’t necessarily become susceptible to malware, that doesn’t mean that’s not the case tomorrow. As part of your processes, for systems that are not commonly affected by a malware, you need to possibly look at measuring and looking at the threat modeling of the industry. You need to spend time making sure that’s still the case, that those systems are not commonly affected by malware.
If you as an organization have systems that are not commonly affected, you assessor should be asking you for some type of evidence or artifact to show that you’ve done your due diligence to demonstrate that these systems are not commonly affected. Understand that at some point, there will be a tipping point between not having an antimalware solution and implementing one. As assessors, it’s our job to make sure you’ve done your due diligence to ensure that what you’re doing is being done securely.