PCI 1.2 and Anti-virus Software Requirements

Last month the PCI Security Standards Council released version 1.2 of the PCI DSS. There were a number of updates and changes to the standard, most of which I have already written about. I want to revisit Requirement 5 of the PCI DSS which relates to the use of anti-virus software on all systems in the cardholder data environment. Version 1.1 states the following:

Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes.

Version 1.2 changes the requirement as follows:

Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Notice that they removed the note defining which types of systems are not typically affected by viruses. I attended a seminar recently by David Wallace, a noted PCI DSS expert and someone who is very involved with the PCI SSC. His explanation was that the council wants remove the “pass” that Unix and Linux systems had for not deploying anti-virus software. There have been a number of viruses released in recent years that affect Unix-based operating systems. Also, there are several vendors that now sell anti-virus products for various flavors of Unix and Linux including Red Hat Linux, Solaris and MacOS. These vendors include Trend Micro, McAfee and ClamAV.

The best way to meet this requirement is to install anti-virus software on any system within scope for which a solution exists. Obviously, systems such as IBM’s I-Series and Mainframes would be excluded. But systems running Solaris or RH Linux should have anti-virus software installed if one exists for the particular version you are running. Furthermore, there really is not a compensating control for this requirement. If anti-virus software exists for the system in question, it must be installed. I cannot think of a compensating control that provides a “similar level of defense” as the original requirement.

Comments are closed.