PCI Requirement 5.4 – Ensure Security Policies and Procedures are Known to all Affected Parties

by Randy Bartels / August 23rd, 2017

PCI Requirement 5 states, “Protect all systems against malware and regularly update anti-virus software or programs.” For this requirement, we’ve discussed the 5 sub-requirements and topics such as anti-virus solutions, malware protection, commonly affected systems, and the evolving threat landscape. Meeting PCI Requirement 5 will protect your organization from being infected by malware attacks. But, as we’ve learned, it’s not enough just to learn and talk about these things. All policies, procedures, and standards must be implemented in order to comply with PCI Requirement 5.

Requirement 5.4 states, “Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.” This is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures need to be known and in use by all relevant parties. Your personnel must be implementing what the policies, procedures, and standards require of them. It is a requirement of this framework that the affected parties use the policies and procedures. It is not sufficient that you generate documentation just for the sake of the audit. Your assessor should be reading these documents, familiar with the policies and procedures, and interviewing staff to make sure that anybody who is subject to the policies and procedures understands what they are.

PCI DSS Requirement 5.4 requires that you have a documentation program around your anti-virus program. Your assessors are going to be looking for the documentation, policies, and procedures to see that they’re appropriate. They’re going to make sure that whatever you’ve documented is actually what’s being used. Then, interview the staff that is subject to these policies, making sure they understand that.