PCI DSS Requirement 5 - Changes from v3.2.1 to v4.0 Explained

Published on : 29 Jan 2024


PCI DSS Requirement 5

Welcome back to our ongoing series on the Payment Card Industry Data Security Standard (PCI DSS). We’ve been journeying through the various requirements of this critical security standard, and today, we’re moving forward to explore Requirement 5 of PCI DSS v4.0. So, let’s get started! To learn more about the other requirements of PCI DSS, check out our comprehensive guide on the “12 requirements of PCI DSS.”

Understanding Requirement 5 of PCI DSS in Short: 

Requirement 5: Safeguard All Systems and Networks Against Malicious Software 

Subsections:

  • 5.1 Defined and understood processes and mechanisms are in place to safeguard all systems and networks from malicious software.  
  • 5.2 The prevention, detection, and addressing of malicious software (malware) is ensured.  
  • 5.3 Anti-malware processes and mechanisms are active, regularly maintained, and monitored.  
  • 5.4 Users are protected against phishing attacks through anti-phishing mechanisms.

In-depth Look:

Malicious software, or malware, refers to any software or firmware that is designed to infiltrate or damage a computer system without the owner’s informed consent. Its intent is to compromise the confidentiality, integrity, or availability of the owner’s data, applications, or the operating system itself. This includes viruses, worms, Trojans, spyware, ransomware, keyloggers, rootkits, and malicious code, scripts, and links. 

Malware can infiltrate the network through various business-approved activities. This includes employee e-mail (for instance, via phishing), internet usage, mobile computers, and storage devices, leading to the exploitation of system vulnerabilities. 

Employing anti-malware solutions that address all types of malwares is crucial in safeguarding systems from both current and evolving malware threats. 

Now, let’s examine the changes and new requirements introduced in PCI DSS v4.0, compared to PCI DSS v3.2.1. 

PCI DSS v3.2.1 PCI DSS v4.0 Specifications of the requirement
5.1.2 The tasks and duties associated with Requirement 5 are clearly defined, allocated, and comprehended.

-> 5.1.2.a Review the written records to confirm that the roles and duties associated with Requirement 5 are clearly defined and allocated.



-> 5.1.2.b Conduct interviews with staff responsible for Requirement 5 to ensure that the roles and duties are allocated as per the documentation and are comprehended.
An updated mandate for roles and responsibilities has been introduced. This mandate is to be implemented with immediate effect for all v4.0 evaluations.
5.1.2 For systems that are typically not susceptible to malicious software, carry out regular assessments to detect and assess emerging malware threats. This is to ascertain whether these systems continue to not necessitate anti-virus software.


Conduct discussions with staff to ensure that they are monitoring and assessing emerging malware threats for systems that are generally not prone to malicious software. This is to confirm whether these systems persist in not needing anti-virus software.
5.2.3 System components that are not susceptible to malware undergo regular evaluations, which include the following:

-> A documented inventory of all system components that are not susceptible to malware.

-> Identification and assessment of emerging malware threats for these system components.

-> Verification whether these system components continue to not need anti-malware protection.

5.2.3.a Review documented policies and procedures to confirm that a process is established for regular evaluations of any system components that are not susceptible to malware, encompassing all elements specified in this requirement.

5.2.3.b Conduct discussions with staff to confirm that the evaluations encompass all elements specified in this requirement.

5.2.3.c Review the list of system components identified as not susceptible to malware and compare it with the system components without an anti-malware solution deployed as per Requirement 5.2.1 to confirm that the system components align for both requirements.
Refined the requirement by shifting the emphasis to ‘system components that are not susceptible to malware.
New Requirement in PCI DSS v4.0:

5.2.3.1 The regularity of evaluations for system components deemed not susceptible to malware is determined by the entity’s focused risk analysis, which is conducted in line with all elements outlined in Requirement 12.3.1.



-> 5.2.3.1.a Review the entity’s focused risk analysis for the regularity of evaluations of system components deemed not susceptible to malware to confirm that the risk analysis was conducted in line with all elements outlined in Requirement 12.3.1.



-> 5.2.3.1.b Review the documented outcomes of regular evaluations of system components deemed not susceptible to malware and conduct discussions with staff to confirm that evaluations are conducted at the regularity defined in the entity’s focused risk analysis performed for this requirement.
New stipulation to establish the regularity of evaluations for system components not susceptible to malware in the entity’s focused risk analysis. This stipulation is considered a best practice until March 31, 2025.
5.2 Ensure that all anti-virus mechanisms are upheld as follows:

-> They are kept up to date,

-> They carry out regular scans

-> They produce audit logs which are preserved as per PCI DSS Requirement 10.7.


5.2.a Review policies and procedures to confirm that it is mandatory for anti-virus software and definitions to be kept current.

5.2.b Inspect anti-virus configurations, including the primary installation of the software to confirm that anti-virus mechanisms are:

-> Set up to perform automatic updates, and

-> Configured to carry out regular scans.

5.2.c Review a selection of system components, including all operating system types typically affected by malicious software, to confirm that:

The anti-virus software and definitions are up-to-date.

Regular scans are carried out.



5.2.d Inspect anti-virus configurations, including the primary installation of the software and a selection of system components, to confirm that:

-> Anti-virus software log generation is activated, and

-> Logs are preserved in line with PCI DSS Requirement 10.7.
5.3.1 The anti-malware solution(s) is consistently updated through automatic updates.

5.3.1.a Inspect the configurations of the anti-malware solution(s), including any primary installation of the software, to confirm the solution is set up to carry out automatic updates.

5.3.1.b Review system components and logs, to verify that the anti-malware solution(s) and definitions are up-to-date and have been deployed promptly.



5.3.2 The anti-malware solution(s):

-> Conducts regular scans and active or real-time scans. OR

-> Carries out continuous behavioral analysis of systems or processes.



5.3.2.a Review the configurations of the anti-malware solution(s), including any primary installation of the software, to confirm the solution(s) is set up to perform at least one of the elements specified in this requirement.



5.3.2.b Inspect system components, including all operating system types identified as susceptible to malware, to confirm the solution(s) is activated in line with at least one of the elements specified in this requirement.



5.3.2.c Review logs and scan results to confirm that the solution(s) is activated in line with at least one of the elements specified in this requirement.



5.3.4 Audit logs for the anti-malware solution(s) are activated and preserved in line with Requirement 10.5.1.



Inspect the configurations of the anti-malware solution(s) to confirm logs are activated and preserved in line with Requirement 10.5.1.
Divided a single requirement into three distinct parts, each focusing on a specific area:

-> Ensuring the malware solution is consistently updated through automatic updates,

-> Conducting regular scans and active or real-time scans (with an added alternative for continuous behavioral analysis),

-> Producing audit logs by the malware solution.
New Requirement in PCI DSS v4.0:

5.3.2.1 If regular malware scans are conducted to fulfill Requirement 5.3.2, the regularity of scans is determined in the entity’s focused risk analysis, which is carried out in line with all elements outlined in Requirement 12.3.1.



-> 5.3.2.1.a Review the entity’s focused risk analysis for the regularity of regular malware scans to confirm that the risk analysis was conducted in line with all elements outlined in Requirement 12.3.1.



-> 5.3.2.1.b Inspect the documented outcomes of regular malware scans and conduct discussions with staff to confirm that scans are carried out at the regularity defined in the entity’s focused risk analysis performed for this requirement.
New requirement to establish the regularity of regular malware scans in the entity’s focused risk analysis. This stipulation is considered a best practice until March 31, 2025.
New Requirement in PCI DSS v4.0:

5.4.1 Procedures and automated systems are established to identify and safeguard staff from phishing attacks.

-> Inspect the implemented procedures and scrutinize the systems to confirm that controls are established to identify and safeguard staff from phishing attacks.
New requirement to identify and safeguard staff from phishing attacks. This stipulation is considered a best practice until March 31, 2025.
New Requirement in PCI DSS v4.0:

5.3.3 For detachable electronic media, the anti-malware solution(s):

-> Conducts automatic scans when the media is inserted, connected, or logically mounted, OR

-> Carries out continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.



5.3.3.a Review the configurations of the anti-malware solution(s) to confirm that, for detachable electronic media, the solution is set up to perform at least one of the elements outlined in this requirement.



5.3.3.b Inspect system components with detachable electronic media connected to confirm that the solution(s) is activated in line with at least one of the elements as outlined in this requirement.



5.3.3.c Review logs and scan results to confirm that the solution(s) is activated in line with at least one of the elements outlined in this requirement.
New requirement for an anti-malware solution for detachable electronic media. This stipulation is considered a best practice until March 31, 2025.

 

Also Read : PCI DSS Requirement 4

Conclusion:

This blog post details the changes to Requirement 5 from PCI DSS v3.2.1 to v4.0. We strive for accuracy in representing the requirements and testing procedures. If you’re interested in other requirements, see our previous posts.

Adhering to Requirement 5 is crucial for maintaining a secure network by protecting against malware and keeping anti-virus software up to date. This safeguards sensitive data and builds customer trust.

Note this post serves as a general guide, not professional advice. Consult a qualified professional for your specific situation.

VISTA InfoSec has over 30 years of cybersecurity and data privacy expertise. Our upcoming post will cover Requirement 6. We appreciate your continued readership.

 

Lets us help you

Need help navigating PCI DSS v4.0? We have been active in the PCI DSS space since 2008 and even certify payment brand. Our PCI DSS services provide assurance on card security controls, with offerings for both product platform and backend services attestation.

We have a dedicated team of auditors and a separate team for consulting/advisory assignments to even help our esteemed clients to define processes and achieve compliance.

We have completed multiple PCI DSS 4.0 certifications too right from scoping to Readiness Assessment, Advisory and Final Certification.

We are vendor neutral and have a strict no-outsourcing policy. We can also assist you with the technical assessments needed for PCI DSS Compliance – Vulnerability Assessment, Penetration Testing, Network Segmentation Testing, Network Architecture Review, Firewall Assessment, Secure Configuration Assessment, Web and Mobile Application Security Assessment, and Secure Code Review.

 

You can also watch the video on PCI DSS Requirement 5

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.