PCI DSS Requirement 5 mandates the use of anti-malware solutions on all in-scope systems unless the system is specifically documented as not being at risk from malware.
Examples of systems not at risk include those using operating systems that do not support anti-malware tools, provided proper justifications and alternative controls are implemented.
Assessment Considerations
QSAs must verify and document why a system is considered "not at risk."
Systems storing, processing, or transmitting cardholder data or that could impact the CDE are generally in-scope for anti-malware.
Incorrect Options
Option A: While CDE systems and connected systems require protection, the requirement applies specifically to systems at risk from malware.
Option B: Portable electronic storage is not explicitly called out for universal anti-malware but must be controlled in line with overall security policies.
Option C: Systems storing PAN are only a subset of in-scope systems.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit