PCI Requirement 5: Protecting Your System with Anti-Virus
Learn what you need to know about anti-virus software.
|By: George Mateaki|
Do your systems have antivirus installed? Do you regularly update the software? Do you have a way to prevent your systems from getting infected by malware? These are some of the main issues that PCI DSS Requirement 5 covers.
Requirement 5 deals primarily with installing and maintaining an anti-virus software. Any business with systems that could be affected by malware should install anti-virus.
Here are a few things you should know about PCI Requirement 5 and anti-virus software.SEE ALSO: Ditch Typical Anti Virus for True PCI Requirement 5 Compliance
Why install anti-virus?PCI DSS requires anti-virus to be installed on all systems that are commonly affected by malware
(e.g., Windows). Beyond financial requirements, anti-virus software also offers an additional layer of security to any system within a network.
When system administrators understand that anti-virus adds another line of defense to their environment, they have an advantage when it comes to securing the sensitive data it contains.
Using outside sources such as the United States Computer Emergency Readiness Team (US-CERT), SANS Institute, and vendor/anti-virus threat feeds, you can identify emerging malware and attacks on systems. You can then configure systems to alert and report on suspicious activity, such as new files added to known malware directories or unauthorized access attempts.
Vigilant vulnerability management is the most effective way for you to proactively reduce the window of compromise, greatly narrowing the opportunity for hackers to successfully attack your systems and steal valuable data.
System administrators have the responsibility of making sure their anti-virus software, including the signatures, are up to date. This applies to either a master anti-virus server client-based configuration or single server/workstation installations. Additionally, PCI DSS requires anti-virus scanning to occur on a regular basis.
Depending on your relationship with your POS vendor, they may or may not maintain your anti-virus scanning. If your vendor is not handling anti-virus, it’s up to you to ensure up-to-date, regular scanning.
SEE ALSO: 3 Data Security Best Practices
What if you use Linux?Linux servers are considered systems not commonly affected by malware. However, if a Linux server is web facing, it’s highly recommended that anti-virus be installed for any web-facing Linux server.
Contrary to popular belief, malicious coders target Linux systems as well as Windows. The risk is too great not to run anti-virus on web-facing Linux systems.
Additional tipsHere are a few other things to consider when getting compliant with Requirement 5.
- Document everything: Make sure all procedures regarding anti-virus are documented and shared with your employees
- Scan your systems regularly: You’ll need to find vulnerabilities before your business suffers a breach. Schedule regular vulnerability scanning for your systems
- Maintain and evaluate audit logs with IT staff: make sure you have someone going through the logs. A warning of a breach is no good if no one can hear it.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.