PCI Requirement 5.1 – Deploy Anti-Virus Software on all Commonly Affected Systems

by Randy Bartels / August 23rd, 2017

There are more people than you think looking to harm your environment. We used to see viruses created just for the sake of creating viruses. Nowadays, organizations are attacked by software that is specifically written for their environment, probably by somebody that has knowledge of their environment. Your organization should take every precaution possible to prevent a potential attack; this is why PCI Requirement 5 states that all systems need to be protected from malware and regularly updated with antivirus software. Malware includes viruses, worms, and Trojans. PCI Requirement 5.1 specifically requires any system that is commonly affected by malware to have antivirus software.

If you have a device that is unplugged from the network and there’s no way to get data in or out of it, that system wouldn’t be considered commonly affected. If you believe Linux systems or Apple systems are not affected by malware or already have malware solutions installed, you’ve got some work to do. Wherever you have systems that are susceptible to malware, there needs to be some type of solution implemented to prevent an attack.

During the assessment, we’re looking to see you’ve done your due diligence to protect your systems. A sample of system components will be taken so that the assessor can verify that anti-virus software has been deployed wherever necessary.

There’s a lot of people out in the industry that look to do harm to your environment. It used to be, years ago, that people would create viruses just for the sake of creating viruses. You saw worms, you saw the Melissa virus, you saw the ILOVEYOU virus. Sometimes these worms or viruses have malintent, and sometimes they just spread and become a nuisance.

What we see in the marketplace today is organizations being attacked with software that is specifically written for their environment by somebody that has knowledge of their environment. When we saw one of the recent attacks, there was software that was installed in a sales system that actually scraped the memory of the system as the cardholder data flew through the environment.

We need to implement some type of solution that prevents systems that are commonly affected by malware from being attacked. When we look at Requirement 5.1, I want to have a conversation about “commonly affected” and what that means. As an assessor, if you tell me that you have a Linux system that’s not impacted by malware, I can guarantee you that is not the case today. If you tell me that you have a Mac and Mac is no longer affected by malware, I can guarantee you that is not the case today. However, in your environment, what we’re looking for is that you’ve done your due diligence about systems that may or may not be impacted by malware. Just because you have a Windows operating system or a Linux operating system, doesn’t automatically mean that you have to have a malware solution on it. From an assessor perspective, that is really our starting point. You should have an anti-malware solution on these devices. However, if you’ve unplugged it from the network and the system is only booted up in order to get information off of it and written down, there’s no way to get data out of or into it, and then you shut the machine down – no, that system wouldn’t be commonly affected.

From an assessment perspective and an inventory perspective on your side, you need to do due diligence if you are not going to be implementing an anti-malware solution. You need to make sure that these systems are not going to be impacted by malware, should it get into that environment. From an assessment perspective, it’s a really difficult conversation to suggest these operating systems. Just because Legacy, in years past didn’t need it, that is not the case today. There might be situations where mainframe environments, z/OS, we might have tandem mainframes or tandem devices that are not commonly affected. It’s kind of a given that those systems aren’t commonly affected, so we wouldn’t look for an anti-malware solution. Where you have systems where malware is available for those systems and those systems do get infected, the starting point should be that you have a solution installed.