Intro to PCI version 4: Requirement 5

In the past requirement 5 has been approached from the mindset of “just install McAfee and be done with it” (or whatever your AV solution happens to be).  The new direction in v4 expands on the concepts of protecting against “malware” to encompass malicious intent that wouldn’t be captured by your AV solution directly, without possibly some configuration changes.  The council also continues down the path of automating as much as possible to remove the risk of human error (or intentional internal actions).

Overall Thoughts

Personally, I like the changes to R5.  I have been preaching to any client that will listen (and sometimes to random people on the streets) that they need to put more effort into building a secure culture to reduce the human risk factor, since that is the largest attack vector in most environments.  The changes in 5 don’t directly change the culture of your company, but it can reduce the decision points presented to employees, by lowering the risk of phishing, which does have a positive impact on the overall environment.

What’s New for Req 5 in v4

With that said, here are the changes in the form of new controls in requirement 5 of version 4 are:

  • 5.1.2 – Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.es to the existing controls (surprised?) <- literally cut and past this line from the post on requirement 4 (which was cut from 3, etc.)
  • 5.2.3.1 – A targeted risk analysis is performed to determine frequency of periodic evaluations of system components identified as not at risk for malware – No longer able to just declare systems as “not at risk” and right them off to focus on other items.  Targeted Risk Assessments (TRAs) MUST be done prior to the assessment starting, so be mindful of that when getting ready to start your first v4 assessment cycle.
  • 5.3.2.1 – A targeted risk analysis is performed to determine frequency of periodic malware scans.
  • 5.3.3 – Anti-malware scans are performed when removable electronic media is in use.  This one is potentially HUGE.  How many of your employees use USB drives to move files between work and home?
  • 5.4.1 – Mechanisms are in place to detect and protect personnel against phishing attacks.  Anytime you see the word “mechanisms” read it to say, “automated solutions”.  As I mentioned previously, a reduction in the amount of phishing attempts that make it to your internal user community will obviously lead to a more secure environment, allowing employees to focus on their actual work.

Requirement 5 is maturing along with the rest of the controls to expand not only the controls but the overall mindset and philosophy behind it.  This is very evidence in the changes to requirement 5 existing controls.

  • 5 – Clarification/guidance – Updated principal requirement title to reflect the focus on protecting all systems and networks from malicious software.
  • 5 – Clarification/guidance – Replaced “anti-virus” with “anti-malware” throughout to support a broader range of technologies used to meet the security objectives traditionally met by anti-virus software.
  • 5.1.2 – Clarification/guidance – Changed to 5.2.3 and clarified requirement by changing focus to “system components that are not at risk for malware.”
  • 5.2 – Clarification/guidance – Split this requirement into three separate ones (5.3.1, 5.3.2, 5.3.4) – Split one requirement into three to focus each requirement on one area:
    • Keeping the malware solution current via automatic updates
    • Performing periodic scans and active or real-time scans (with a new option for continuous behavioral analysis)
    • Generation of audit logs by the malware solution.

Conclusion

From an operational standpoint not much is going to change on the daily routine based on the changes to Requirement 5.  There will be some potential upfront work to upgrade and develop the oversight processes going forward (TSAs), but once those are in place.  Best advice I have for you is to take this one seriously and put the effort in early to build processes that keep the areas of your security program which govern and manage this area in the forefront of management’s minds.  Develop KPIs that show how much the new solutions are capturing before it gets into the environment, etc.  Keep the narrative between security and management, especially finance, focused on a lack of large events is made possible by the efforts of the group on the numerous small events that happen every day.

As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.  Feel free to reach out to me directly with questions or to have a conversation via my email and/or social media information on the TBF website.  Thanks for taking the time to read my thoughts on PCI v4 Requirement 5.  We will continue to work through each of the PCI requirements each week.