Vulnerability Management [Req 5-6]
Rule: Protect all systems from malicious software and develop/maintain secure systems through patching and secure development practices.
Requirement 5: Malware Protection
5.2 — Malware Prevention and Detection
| Control | Requirement |
|---|
| Anti-malware deployed | On all systems commonly affected |
| Detect known malware | Signature-based detection |
| Detect unknown malware | Behavioral analysis |
| Systems covered | All system components in CDE |
5.3 — Active and Maintained
| Control | Requirement |
|---|
| Automatic updates | Signatures and engine |
| Periodic scans | Real-time or scheduled scans |
| Audit logs | Generate logs of activity |
| Cannot be disabled | By users (or requires approval) |
5.4 — Anti-Phishing
| Control | Requirement |
|---|
| Technical controls | Email filtering, URL filtering |
| User training | Awareness on phishing |
| Detection mechanisms | Identify phishing attempts |
Systems Commonly Affected by Malware
- Windows systems
- macOS systems
- Linux systems (increasingly targeted)
- Point-of-sale devices
If not commonly affected: Document risk assessment justifying exclusion.
Requirement 6: Secure Systems and Software
6.2 — Secure Development
| Control | Requirement |
|---|
| Training | Developers trained in secure coding |
| Secure coding guidelines | Based on industry standards |
| Code review | Before production deployment |
| SDLC | Security integrated into lifecycle |
6.3 — Vulnerability Management
| Control | Requirement |
|---|
| Identify vulnerabilities | From public sources (CVEs, etc.) |
| Risk rank | Assign risk ranking |
| Critical/high patches | Within 30 days |
| Other patches | Appropriate timeframe |
Patching Timeline
| Severity | Deadline |
|---|
| Critical | Within 30 days |
| High | Within 30 days |
| Medium | Within 90 days (recommended) |
| Low | Defined timeframe |
6.4 — Web Application Security
| Control | Requirement |
|---|
| Attack detection | WAF or equivalent for public web apps |
| OWASP Top 10 | Address common vulnerabilities |
| Review annually | Update protections |
6.5 — Change Management
| Control | Requirement |
|---|
| Documented procedures | For all changes |
| Impact analysis | Security impact assessment |
| Approval | Authorized parties |
| Testing | Before production |
| Rollback | Procedures defined |
OWASP Top 10 Coverage
PCI DSS requires protection against common vulnerabilities:
- Injection attacks
- Broken authentication
- Sensitive data exposure
- XML external entities
- Broken access control
- Security misconfiguration
- Cross-site scripting (XSS)
- Insecure deserialization
- Known vulnerabilities
- Insufficient logging
Citation
PCI DSS v4.0.1 Requirements 5-6