Requirement 5: Protect All Systems and Networks from Malicious Software

PCI DSS 4.0.1 expands Requirement 5's scope from basic antivirus protection to comprehensive anti-malware strategies covering: 1) Cloud workloads and containerized environments , 2) Memory protection mechanisms against RAM-scraping attacks , 3) Automated behavioral analysis for zero-day threats , and 4) Phishing protection for all user-facing systems . The updated requirement mandates continuous monitoring rather than periodic scans, with specific emphasis on protecting systems 'commonly affected by malware' including Windows, Linux, and IoT devices .

For serverless environments (e.g., AWS Lambda, Azure Functions): 1) Use runtime protection tools like AWS Lambda Layers with embedded security, 2) Implement function-level isolation with strict IAM policies, 3) Scan deployment packages using CI/CD-integrated tools (Snyk, Aqua Security), and 4) Monitor execution logs for anomalous behavior using cloud-native SIEM solutions . PCI DSS 4.0.1 specifically requires malware protection for ephemeral functions despite their short lifespan, mandating scanning of all third-party dependencies .

Organizations must maintain: 1) Inventory of all protected systems with protection mechanisms documented, 2) Automated update procedures for signatures/engines, 3) Exception logs for any unprotected systems with risk acceptance, 4) Quarterly review records of malware detection events, and 5) Integration evidence with vulnerability management programs . PCI DSS 4.0.1 explicitly requires documenting the anti-malware solution's ability to detect polymorphic malware and fileless attacks .

PCI DSS 4.0.1 mandates: 1) Signature updates within 24 hours of vendor release, 2) Engine updates within 30 days of stable version availability, 3) Full solution replacement if vendor discontinues support, and 4) Quarterly effectiveness validation through controlled malware simulation tests . For cloud-native solutions, continuous integration pipelines must include malware scanning of all deployment artifacts before promotion to production .

No systems in the CDE are exempt. For legacy systems (e.g., AS/400, Windows XP): 1) Implement host-based firewalls with strict allow lists, 2) Use network segmentation with IDS/IPS monitoring, 3) Deploy application control via whitelisting, and 4) Conduct weekly manual malware checks if automated tools are incompatible . All exceptions require quarterly risk reassessment and compensating control validation through penetration testing .

Our multi-layered approach includes: 1) CrowdStrike Falcon with AWS GuardDuty integration for EC2 instances, 2) Azure Defender for Endpoints on container hosts, 3) Serverless protection via PureSec FunctionShield, and 4) Network-level scanning using Cisco Secure Firewall Threat Defense. We maintain centralized logging in Splunk ES with 90-day retention, showing <5 minute detection-to-alert latency across 15,000+ endpoints .

We combine: 1) Proofpoint Email Protection with URL rewriting and attachment sandboxing, 2) Quarterly KnowBe4 phishing simulations achieving <2% click-through rates, 3) Browser isolation for all external links in payment portals, and 4) DMARC/DKIM/SPF enforcement with 100% quarantine policy. Training records show 98% completion across 450 staff, with recertification every 6 months. Last penetration test reported zero successful phishing breaches .

All mobile devices (750+ Ingenico units) use: 1) Hexnode UEM-enforced app whitelisting, 2) McAfee MVISION Mobile with real-time scanning, 3) Read-only filesystems for payment applications, and 4) Automated OS patching within 72 hours of release. Configuration drift is prevented through immutable boot images signed with HSM-protected keys. Last quarterly audit showed 100% compliance across fleet .