WithPCI Logo
WithPCI.com

5.2.3.1 The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

5.2.3.1 The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Customized Approach Objective

Systems not known to be at risk from malware are re-evaluated at a frequency that addresses the entity's risk.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

5.2.3.1.a Examine the entity's targeted risk analysis for the frequency of periodic evaluations of system components identified as not at risk for malware to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1.

5.2.3.1.b Examine documented results of periodic evaluations of system components identified as not at risk for malware and interview personnel to verify that evaluations are performed at the frequency defined in the entity's targeted risk analysis performed for this requirement.

Purpose

Entities determine the optimum period to undertake the evaluation based on criteria such as the complexity of each entity's environment and the number of types of systems that are required to be evaluated.

purpose

Configure anti-malware mechanisms to prevent users from disabling or altering them unless specifically authorized.

compliance strategies

  • Tamper protection
  • Admin-only override

typical policies

  • Anti-Malware Tamper Protection Policy

common pitfalls

  • Users able to disable protection
  • No override tracking

type

Technical Control

difficulty

Moderate

key risks

  • Protection bypassed by users

recommendations

  • Use endpoint solutions with tamper protection features

Eligible SAQ

  • SAQ-A-EP
  • SAQ-C
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy