5.3.2.1 If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

Scans by the malware solution are performed at a frequency that addresses the entity's risk.

Applicability Notes

This requirement applies to entities conducting periodic malware scans to meet Requirement 5.3.2. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

5.3.2.1.a Examine the entity's targeted risk analysis for the frequency of periodic malware scans to verify the risk analysis was performed in accordance with all elements specified in Requirement 12.3.1.

5.3.2.1.b Examine documented results of periodic malware scans and interview personnel to verify scans are performed at the frequency defined in the entity's targeted risk analysis performed for this requirement.

Purpose

Entities can determine the optimum period to undertake periodic scans based on their own assessment of the risks posed to their environments.

purpose

Monitor and evaluate evolving malware threats for systems not commonly affected.

compliance strategies

Threat intelligence feeds
Regular reviews

typical policies

Threat Monitoring Policy

common pitfalls

No ongoing threat monitoring
Delayed response to new risks

type

Process Control

difficulty

Moderate

key risks

Emerging malware not detected

recommendations

Subscribe to industry threat feeds

Eligible SAQ

SAQ-A-EP
SAQ-C
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER