You are here

Requirement 5: Use and regularly update anti-virus software

Subscribe to Syndicate
Protect all systems against malware and regularly update anti-virus software or programs

Malicious software, commonly referred to as “malware”—including viruses, worms, and Trojans—enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered as a supplement to the anti-virus software; however, such additional solutions do not replace the need for anti-virus software to be in place.

Section PCI Requirement Comments Provided by Artsman Cloud
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and file servers). See specifics for SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. You must keep your anti-virus software up to date with latest definitions SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

For Theatre Manager database and TM server, ensure those processes are the only thing running on the machine. Keep them separate from a domain server to limit who can actually log in to the server.

Check with the vendor of other systems in use.

SPLIT
  • Artsman: Process isolation is used extensively and services are continuously monitored
  • Customer: Workstations must be audited
5.2 Ensure that all anti-virus mechanisms are maintained as follows:   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

Note: Anti-virus solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

  SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.   SPLIT
  • Artsman: This documentation and staff training
  • Customer: Own staff training