Requirement 5: Protect all systems and networks from malicious software

Please provide the information below to view the online Verizon Payment Security Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • This requirement concerns protecting all systems commonly affected by malicious software (malware) against viruses, worms and Trojans.

  • Figure 14. Global state of PCI DSS compliance: Requirement 5

  • Full compliance: Full compliance improved from 82.5% to 88.4%, which is still a bit lower than its 90%-plus performance in 2015 and 2016. In relation to long-term trends, Requirement 5 consistently maintains the highest level of full compliance, together with Requirements 7 and 4.

    Control gap: The improvement of the control gap doubled, with the gap reducing from a high of 9.6% to a more respectable 4.3%.

    While the gap with Control 5.2 improved significantly (-4.7 pp), it remains the worst-performing control under Requirement 5.

    Compensating controls: The use of compensating controls increased to 2.3%. Control 5.2 is compensated the most, but by a very small number of organizations (1.2%) with a legitimate business or technical reason for not being able to maintain all anti-malware systems.

  • Figure 15. Requirement 5 control performance

    • A tip on sustainable control effectiveness

      Antivirus solutions are only as good as the detection technology and definitions they are running. Permit automatic updating of antivirus mechanisms and, where possible, restrict the operation of systems running outdated definitions. Integrate endpoint solutions and automate monitoring and management.

  • Requirement 5: Protect all systems and networks from malicious software

    The goal

    The goal of PCI DSS Key Requirement 5 is to ensure that all relevant systems across the CDE commonly affected by malicious software remain protected at all times against known and evolving malware threats with an effective anti-malware solution, and that organizational capability to respond to malware-related incidents is continuously in place and corrective action is taken in a timely manner to prevent or contain malware contamination of the CDE.

    This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.

    Goal applicability and scope considerations

    • Technology components: This goal applies to all in-scope system components known to be affected by malware, which may include servers, employee computers, mobile computers, email systems and storage devices, including related logging, monitoring and incident response systems
    • People and teams: The goal also includes the individuals and teams responsible for the deployment, monitoring and response to malware-related incidents, the training and education of end users that access any CDE system components, and third-party vendors that supply or support anti-malware and related security system components

    Goal requirements:

    Some of the primary conditions necessary to achieve the goal

    • Capability—deployment: Create a standardized deployment and maintenance process capability for the anti-malware system to be installed and remain active on all in-scope system components, which includes a defined process for identifying in-scope components, i.e., systems commonly affected by malware
    • Capability—anti-malware functions: Install anti-malware systems capable of detecting various types of malicious software to protect systems from current and evolving malware threats, including viruses, worms, Trojans, spyware, adware, ransomware, keyloggers, rootkits, malicious code, scripts and malicious links on in-scope system components, such as servers, employee computer systems, mobile computers, email systems and storage devices. It must include automated regular updates, generating alerts
    • Capability—automation and monitoring: Standardize and automate the deployment and maintenance of anti-malware systems; particularly in large environments, automate the inability to disable anti-malware without management approval, and automate alerts and the ability to detect an alert when an anti-malware system is inactive on an in-scope component
    • Capability—detection and response: Integrate anti-malware systems, network access control (NAC) systems and a centralized security information and event management (SIEM) system for the aggregation of security log data across CDE for normalization, analysis and effective monitoring and response
    • Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Internally monitor and report adherence to procedures

    Strong dependencies and integration with other key requirements

    • Requirement 1: Integration with network security components, for network-based anti-malware protection
    • Requirement 2: The security configuration of anti-malware system components
    • Requirement 6: Integration with system hardening of components, such as NAC
    • Requirement 10: Integration with logging and monitoring systems
    • Requirement 11: Sufficient security testing of anti-malware systems
    • Requirement 12: The risk-based re-evaluation of systems not known to be affected by malware

    Short-term objectives

    • Scope and automation: Implement and maintain a configuration management system for the effective, automatic identification and status synchronization and reporting of all in-scope components across the entire CDE
    • Communication: Document and communicate configuration standards and implementation procedures, management and monitoring procedures for all system components across the CDE

    Long-term objectives

    • Improvement: Improve the integration of security and refine configurations and support processes, documentation and training, monitoring, and reporting
    • Maturity: Achieve and maintain high performance of process and capability maturity on the deployment, maintenance and monitoring of anti-malware components, alerts and incident response

    Common constraints

    • Cost: Lack of budget to deploy and maintain advanced integrated end-point security solutions
    • Competency: Lack of qualified staff to properly integrate and maintain various endpoint solutions