Timeline for PCI DSS 4.0: The Fifth Requirement and Malicious Software

Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn, and steal information. 

The fifth requirement of PCI DSS 4.0 is all about protection against malware. IT systems handling PAN or other cardholder information must have specific anti-malware security measures to mitigate these threats and ensure that they haven’t made their way into protected system resources. 

What Are Different Threats from Malware?

“Malware” is a catch-all term referring to malicious software or any application a hacker uses to take control of a system for nefarious purposes. 

The origins of malware actually reside in the term more commonly used throughout the earlier history of computing–viruses. Computer viruses, or malicious and replicating programs, were the stuff of nightmares for security experts in the 1980s through the early 2000s. Viruses made up the public’s cybersecurity lexicon, alongside worms (self-transmitting viruses) and trojans (viruses hidden behind seemingly-legitimate software).

Malware became more accepted when it became clear that several forms of malicious software exist outside the virus metaphor. Some of these include:

• Ransomware: One of the biggest challenges for security experts in modern times is the propagation of ransomware, or malware that encrypts a system’s data, demanding a ransom before returning the decryption key. Many enterprises and other businesses have become the target of ransomware, including industrial companies responsible for energy production and oil reserves.
• Keyloggers: A passive form of malware, keyloggers do simply that–register, record, and share keystrokes in a given computer to collect authentication and authorization information or other forms of private communication.
• Rootkits: The term “root” refers to the superuser on a Unix or Linux system. The root user has (all other things being equal) complete control over the system. A rootkit, therefore, is a piece of malware specifically built to break access to the root account, take over, and allow the hacker to control the machine as if they were an administrator (including changing configuration settings, logging all communications, or installing other software for operating on a botnet).
• Grayware: Grayware is a middle ground between malware and legit software. Common forms of malware include adware installed alongside downloads from the internet or programs that monitor user activity as they use a program.
• Advanced Persistent Threats (APTs): APTs aren’t specifically malware or exclusively malware-based. However, they are long-lasting and advanced attacks that typically use some form of malware (in combination with phishing and other threats) to launch their attacks. APTs are some of the most sophisticated and dangerous forms of cyber threat, and state-sponsored hacking groups represent many.

What Is the Fifth Requirement of PCI DSS 4.0?

The fifth requirement, “Protect All Systems and Networks from Malicious Software,” is (as the name suggested) focused on implementing preventative and remediation measures to address the malware threat. 

On the surface, these requirements are quite simple, but they do require constant vigilance on the part of the compliant organization. As malware continuously evolves, the expectation is that anti-malware measures will evolve as well. 

5.1 – Defining Processes and Mechanisms for Protecting Against Malware

• Documentation: As with every other requirement, all anti-malware procedures, technologies, and policies must be well documented and shared with relevant stakeholders inside the organization.
• Roles and Responsibilities: Likewise, your organization must have a clearly-defined hierarchy of roles and responsibilities for handling anti-malware capabilities, updating anti-malware measures, and maintaining monitoring and training for these measures. Every task associated with this requirement is allocated to a person in this hierarchy.

5.2 – Malicious Malware is Prevented, or Detected and Addressed

• All System Components Must Be Protected: Anti-malware must protect any system or components. Unlike data-specific requirements, this expectation assumes that malware in a non-sensitive system can compromise cardholder data in any other system and thus covers all potentially affected resources.
• Comprehensive Anti-Malware: The anti-malware solutions must recognize all known malware and contain measures capable of quarantining, blocking, or removing all known malware types.
• Exceptions to Coverage: If resources are not subject to threats of malware, then they may be excluded from protection so long as they are inventoried, monitored, and no malware threats emerge for those specific components. The risk of malware threat must be evaluated periodically based on the organization’s risk assessment (outlined in requirement 12).

5.3 – Anti-Malware Mechanisms and Processes Are Active and Maintained

• Anti-Malware Solutions Are Kept Up to Date: Anti-malware services must be kept current via automatic updates through a trusted source (typically the provider of the malware or official malware databases offered through security firms).
• Automatic, Periodic Scans: To ensure effectiveness and security, anti-malware solutions must perform periodic scans of protected resources. Additionally, PCI DSS 4.0 recommends using regular active scans alongside these passive scans to aid in the discovery of emerging or zero-day vulnerabilities.
• Removable Media: Any removable media (disks, hard drives, USB drives, etc.) must be automatically scanned when connected to protected resources and (as a best practice) actively scanned periodically to look for malware or user behaviors indicative of a potential malware attack.
• Disabling: The only time that anti-malware solutions can be disabled is if that instance of disabling is approved on a case-by-case basis, with documentation regarding reasoning and timeframes.

5.4 – Anti-Phishing Mechanisms Protect Against Phishing

• Automatic Detection: Phishing is one of the major vectors by which malware enters secure systems, and your organization must include measures to protect against phishing threats. These can include anti-spoofing controls, Domain-Based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM). 

Prepare for PCI DSS 4.0 with Lazarus Alliance

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now.

Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→