Timeline for PCI DSS 4.0: The Fifth Requirement and Malicious Software

PCI DSS 4.0 featured

Malware is an ever-present, if sometimes forgotten, threat to our IT systems. We tend to think that anti-malware and other security measures have effectively blocked out the threats of old worms and viruses. The real threat is against network and application security. However, hackers always look to launch malware into compromised systems to listen, learn, and steal information. 

The fifth requirement of PCI DSS 4.0 is all about protection against malware. IT systems handling PAN or other cardholder information must have specific anti-malware security measures to mitigate these threats and ensure that they haven’t made their way into protected system resources. 


What Are Different Threats from Malware?

“Malware” is a catch-all term referring to malicious software or any application a hacker uses to take control of a system for nefarious purposes. 

The origins of malware actually reside in the term more commonly used throughout the earlier history of computing–viruses. Computer viruses, or malicious and replicating programs, were the stuff of nightmares for security experts in the 1980s through the early 2000s. Viruses made up the public’s cybersecurity lexicon, alongside worms (self-transmitting viruses) and trojans (viruses hidden behind seemingly-legitimate software).

Malware became more accepted when it became clear that several forms of malicious software exist outside the virus metaphor. Some of these include:

  • Ransomware: One of the biggest challenges for security experts in modern times is the propagation of ransomware, or malware that encrypts a system’s data, demanding a ransom before returning the decryption key. Many enterprises and other businesses have become the target of ransomware, including industrial companies responsible for energy production and oil reserves.
  • Keyloggers: A passive form of malware, keyloggers do simply that–register, record, and share keystrokes in a given computer to collect authentication and authorization information or other forms of private communication.
  • Rootkits: The term “root” refers to the superuser on a Unix or Linux system. The root user has (all other things being equal) complete control over the system. A rootkit, therefore, is a piece of malware specifically built to break access to the root account, take over, and allow the hacker to control the machine as if they were an administrator (including changing configuration settings, logging all communications, or installing other software for operating on a botnet).
  • Grayware: Grayware is a middle ground between malware and legit software. Common forms of malware include adware installed alongside downloads from the internet or programs that monitor user activity as they use a program.
  • Advanced Persistent Threats (APTs): APTs aren’t specifically malware or exclusively malware-based. However, they are long-lasting and advanced attacks that typically use some form of malware (in combination with phishing and other threats) to launch their attacks. APTs are some of the most sophisticated and dangerous forms of cyber threat, and state-sponsored hacking groups represent many.


What Is the Fifth Requirement of PCI DSS 4.0?


The fifth requirement, “Protect All Systems and Networks from Malicious Software,” is (as the name suggested) focused on implementing preventative and remediation measures to address the malware threat. 

On the surface, these requirements are quite simple, but they do require constant vigilance on the part of the compliant organization. As malware continuously evolves, the expectation is that anti-malware measures will evolve as well. 


5.1 – Defining Processes and Mechanisms for Protecting Against Malware

  • Documentation: As with every other requirement, all anti-malware procedures, technologies, and policies must be well documented and shared with relevant stakeholders inside the organization.
  • Roles and Responsibilities: Likewise, your organization must have a clearly-defined hierarchy of roles and responsibilities for handling anti-malware capabilities, updating anti-malware measures, and maintaining monitoring and training for these measures. Every task associated with this requirement is allocated to a person in this hierarchy.


5.2 – Malicious Malware is Prevented, or Detected and Addressed

  • All System Components Must Be Protected: Anti-malware must protect any system or components. Unlike data-specific requirements, this expectation assumes that malware in a non-sensitive system can compromise cardholder data in any other system and thus covers all potentially affected resources.
  • Comprehensive Anti-Malware: The anti-malware solutions must recognize all known malware and contain measures capable of quarantining, blocking, or removing all known malware types.
  • Exceptions to Coverage: If resources are not subject to threats of malware, then they may be excluded from protection so long as they are inventoried, monitored, and no malware threats emerge for those specific components. The risk of malware threat must be evaluated periodically based on the organization’s risk assessment (outlined in requirement 12).

5.3 – Anti-Malware Mechanisms and Processes Are Active and Maintained

  • Anti-Malware Solutions Are Kept Up to Date: Anti-malware services must be kept current via automatic updates through a trusted source (typically the provider of the malware or official malware databases offered through security firms).
  • Automatic, Periodic Scans: To ensure effectiveness and security, anti-malware solutions must perform periodic scans of protected resources. Additionally, PCI DSS 4.0 recommends using regular active scans alongside these passive scans to aid in the discovery of emerging or zero-day vulnerabilities.
  • Removable Media: Any removable media (disks, hard drives, USB drives, etc.) must be automatically scanned when connected to protected resources and (as a best practice) actively scanned periodically to look for malware or user behaviors indicative of a potential malware attack.
  • Disabling: The only time that anti-malware solutions can be disabled is if that instance of disabling is approved on a case-by-case basis, with documentation regarding reasoning and timeframes.


5.4 – Anti-Phishing Mechanisms Protect Against Phishing

  • Automatic Detection: Phishing is one of the major vectors by which malware enters secure systems, and your organization must include measures to protect against phishing threats. These can include anti-spoofing controls, Domain-Based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM). 


Prepare for PCI DSS 4.0 with Lazarus Alliance

As we dig into the requirements of PCI DSS, you will see the increasing complexity and interoperability of the different technologies, policies, and practices you’ll need to deploy to receive PCI verification and maintain compliance. These practices aren’t just to complete a checklist. However–they are tried-and-true security practices that will help support your security efforts ten years from now.


Are You Thinking Ahead for PCI DSS 4.0?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form.

Lazarus Alliance