NL +31 (0)20 4232420 / SP +34 937 379 542

This blog is part of a blog series on the 12 PCI DSS Requirements. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement.


Requirement 5: Protect all systems against all type of malware


This requirement focuses on protection against all types of malware that can affect systems. The word ‘malware’ (or ‘malicious software’) is a general name of all types of software that is presented as a threat that enters the network and takes advantage of the vulnerabilities of the system. These types of software are popularly known as viruses, worms, rootkits, adware and Trojans.

New attacks continually emerge in order to exploit system vulnerabilities, often called “zero-day” (an attack that exploits a previously unknown vulnerability), against otherwise secure systems.

Without an anti-virus solution that is updated regularly, these new forms of malicious software can attack systems, disable a network, or lead to a data compromise.


4 tips to remember


  1. If for the components of the PCI DSS scope the antivirus technology exists, it must be implemented in all of them.
  2. The anti-virus solution must be able to detect, remove and protect against all types of malicious software such as Trojans, worms, spyware, adware, and rootkits.
  3. The anti-virus solution must be maintained with the latest security updates and signature files.
  4. The anti-virus solution must provide the ability to monitor virus and malware activity through the audit logs. These audit logs must be administered according to PCI DSS requirement 10.


From the security point of view, you should not delegate responsibility only to the antivirus solution or consider that your systems are safe because they implement software that is not usually attacked by malware. Trends in malicious software and the identification of new security vulnerabilities should be incorporated into configuration standards and protection mechanisms.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data 
PCI DSS requirement 10: Track and monitor all access to network resources and cardholder data