Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Summary of Assessment Findings
(check one)
PCI DSS Requirements Reporting Details:
In Place Not Not in
and Testing Procedures Reporting Instruction Assessor’s Response In Place w/ CCW N/A Tested Place
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and
servers). ☐ ☐ ☐ ☐ ☐

5.1 For a sample of system components Identify the sample of system components
including all operating system types (including all operating system types commonly
commonly affected by malicious software, affected by malicious software) selected for this
verify that anti-virus software is deployed testing procedure.
if applicable anti-virus technology exists.
For each item in the sample, describe how anti-virus
software was observed to be deployed.
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious
software. ☐ ☐ ☐ ☐ ☐

5.1.1 Review vendor documentation and
examine anti-virus configurations to verify
that anti-virus programs;
 Detect all known types of malicious
software,
 Remove all known types of malicious
software, and
 Protect against all known types of
malicious software.
Identify the vendor documentation reviewed to Not Mentioned
verify that anti-virus programs:
 Detect all known types of malicious software,
 Remove all known types of malicious software,
and
 Protect against all known types of malicious
software.
Describe how anti-virus configurations verified that anti-virus programs:

(Examples of types of malicious software  Detect all known types of malicious software,
include viruses, Trojans, worms, spyware,
 Remove all known types of malicious software,
adware, and rootkits).
and
 Protect against all known types of malicious
software.
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and
evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. ☐ ☐ ☐ ☐ ☐

5.1.2 Interview personnel to verify that Identify the responsible personnel interviewed for
evolving malware threats are monitored this testing procedure.

PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 1

PCI DSS Requirements
and Testing Procedures
and evaluated for systems not currently
considered to be commonly affected by
malicious software, in order to confirm
whether such systems continue to not
require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are maintained as follows:
 Are kept current.
 Perform periodic scans.
 Generate audit logs which are retained per PCI DSS Requirement 10.7.
5.2.a Examine policies and procedures to
verify that anti-virus software and
definitions are required to be kept up-to-
date.
5.2.b Examine anti-virus configurations,
including the master installation of the
software, to verify anti-virus mechanisms
are:
 Configured to perform automatic
updates, and
 Configured to perform periodic scans.
5.2.c Examine a sample of system
components, including all operating
system types commonly affected by
malicious software, to verify that:
 The anti-virus software and
definitions are current.
 Periodic scans are performed.
5.2.d Examine anti-virus configurations,
including the master installation of the
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components
© 2018 PCI Security Standards Council, LLC. All Rights Reserved.
Summary of Assessment Findings
(check one)
Reporting Details:
In Place Not Not in
Reporting Instruction Assessor’s Response In Place w/ CCW N/A Tested Place
For the interview, summarize the relevant details
discussed to verify that evolving malware threats are
monitored and evaluated for systems not currently
considered to be commonly affected by malicious
software, and that such systems continue to not
require anti-virus software.
☐ ☐ ☐ ☐ ☐
Identify the documented policies and procedures Not Mentioned
examined to verify that anti-virus software and
definitions are required to be kept up to date.
Describe how anti-virus configurations, including the master installation of the software, verified anti-virus mechanisms are:
 Configured to perform automatic updates, and
 Configured to perform periodic scans.
Identify the sample of system components
(including all operating system types commonly
affected by malicious software) selected for this
testing procedure.
Describe how the system components verified that:
 The anti-virus software and definitions are
current.
 Periodic scans are performed.
Identify the sample of system components selected
for this testing procedure.
For each item in the sample, describe how anti-virus configurations, including the master installation of the software, verified that:
June 2018
Page 2
 Summary of Assessment Findings
(check one)
PCI DSS Requirements Reporting Details:
In Place Not Not in
and Testing Procedures Reporting Instruction Assessor’s Response In Place w/ CCW N/A Tested Place
software and a sample of system  Anti-virus software log generation is enabled, and.
components, to verify that:
 Logs are retained in accordance with PCI DSS
 Anti-virus software log generation is
Requirement 10.7.
enabled, and
 Logs are retained in accordance with
PCI DSS Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically
authorized by management on a case-by-case basis for a limited time period.
Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on
☐ ☐ ☐ ☐ ☐
a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized.
Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not
active.
5.3.a Examine anti-virus configurations, Identify the sample of system components selected
including the master installation of the for this testing procedure.
software and a sample of system
For each item in the sample, describe how anti-virus
components, to verify the anti-virus
configurations, including the master installation of the
software is actively running.
software, verified that the anti-virus software is
actively running.
5.3.b Examine anti-virus configurations, For each item in the sample from 5.3.a, describe
including the master installation of the how anti-virus configurations, including the master
software and a sample of system installation of the software, verified that the anti-virus
components, to verify that the anti-virus software cannot be disabled or altered by users.
software cannot be disabled or altered by
users.

5.3.c Interview responsible personnel and
observe processes to verify that anti-virus
software cannot be disabled or altered by
users, unless specifically authorized by
management on a case-by-case basis for
a limited time period.
Identify the responsible personnel interviewed who
confirm that anti-virus software cannot be disabled or
altered by users, unless specifically authorized by
management on a case-by-case basis for a limited
time period.
Describe how processes were observed to verify
that anti-virus software cannot be disabled or altered
by users, unless specifically authorized by
management on a case-by-case basis for a limited
time period.

PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 3
 Summary of Assessment Findings
(check one)
PCI DSS Requirements Reporting Details:
In Place Not Not in
and Testing Procedures Reporting Instruction Assessor’s Response In Place w/ CCW N/A Tested Place
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and
known to all affected parties. ☐ ☐ ☐ ☐ ☐

5.4 Examine documentation and interview
personnel to verify that security policies
and operational procedures for protecting
systems against malware are:
 Documented,
 In use, and
 Known to all affected parties.
Identify the document reviewed to verify that Not Mentioned
security policies and operational procedures for
protecting systems against malware are
documented.
Identify the responsible personnel interviewed who
confirm that the above documented security policies
and operational procedures for protecting systems
against malware are:
 In use
 Known to all affected parties

PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved. Page 4