- The terms virus and "anti-virus" are respectively replaced by "malicious software" and by "anti-malware". This to onboard malware variants such as worms, trojans, ransomware, spyware, rootkits, adware, backdoors, etc.
- The mention "Actively running" is replaced by "Real-time scanning". This to avoid past misunderstandings. Real-time scanning should be understood as a type of persistent, on-access scanning.
- "Behavioral analysis" is incorporated as an accepted anti-malware solution scanning method, as an alternative to traditional periodic (scheduled and on-demand) and real-time (on-access) scans. Behavior-based malware detection evaluates an object based on its intended actions before it can actually execute that behavior. An object’s behavior, or in some cases its potential behavior, is analyzed for suspicious activities. Attempts to perform actions that are clearly abnormal or unauthorized would indicate the object is malicious, or at least suspicious.”
New controls: 5 new controls:
- 4.0 - 5.1.2 Generic statement about roles and responsibilities
- 4.0 - 188.8.131.52 Organizations should perform a periodic assessment to determine which system components should require an anti-malware solution. Assets that are determined not to be affected by malware should be included in a list. The frequency of periodic evaluations of system components not at risk for malware shall be the result of a targeted risk analysis.
- 4.0 184.108.40.206 The frequency of periodic malware scans shall be the outcome of a target risk analysis.
- 4.0 - 5.3.3 Removable electronic media must be automatically scanned when the media is inserted, connected, or logically mounted. The wording of the requirement, the testing procedures, and the guidance all indicate a requirement to scan the entire media/device upon connection, and not merely scan files on access.
- 4.0-5.4.1Mandatory detection and protection against phishing attacks. By adding this requirement, the PCI Security Standards Council has acknowledged that email is a major attack vector and the most successful attack is phishing.
3.2.1 - 5.2 is split into 4.0 - 5.3.1 , 5.3.2 and 5.3.4.
4.0 - 5.3.1 Require that anti-malware be updated automatically.
4.0 - 5.3.2 Introduce the notion of continuous behavioral analysis of systems or processes.
4.0 - 5.3.2 In addition to periodic scanning, "real-time scanning" (on-access) scans shall also be performed every time an object is downloaded, open, modified. Those running traditional anti-malware tools, will need to do both periodic and real-time scanning which could introduce additional load to systems in scope. Most modern anti-malware platforms already include both.
Get your PCI 4.0 COMPLIANCE DASHBOARD TOOL . Fully aligned with PCI DSS V4.0. It includes the defined approach requirements, the customized approach, applicability notes, purpose, good practices & further information, definition, example and defined testing procedures and prioritization approach. It also provides templates to register your compensating controls, controls met with remediations but also to register your customized Controls, the outcome of the customized approach risk assessments and the risk assessments for the definition of frequency periods as well as to register execution of vulnerability scans and penetration tests.
3.2.1 - Protect all systems against malware and regularly update anti-virus software or programs
4.0 - Protect all Systems and networks from malicious software
Change: Reformulation + Clarification.
4.0 - 5.2.1An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.
4.0 - 5.2.2 The deployed anti-malware solution(s):
- Detects all known types of malware.
- Removes, blocks, or contains all known types of malware.
Change: Reformulation + Clarification
4.0 - 5.2.3Any system components that are not at risk for malware are evaluated periodically to include the following:
- A documented list of all system components not at risk for malware.
- Identification and evaluation of evolving malware threats for those system components.
- Confirmation whether such system components continue to not require anti-malware protection.
Organizations must perform a Targeted Risk Analysis (TRA) with the goal of establishing a frequency to review systems not at risk for malware. This review is an evaluation to determine if the threat landscape has changed and therefore may require additional controls outside of traditional anti-malware installations. There are several components which typically do not have or cannot have anti-malware agents installed such as Mainframes, Vendor Appliances, or low-level operating systems such as ESXi (VMware), Kubernetes Clusters, etc. QSAs will be looking for organizations to establish a reasonable frequency based on the TRA and demonstrate the timeframe has been followed. c
Using industry and vendor sources to identify emerging malware and attacks on systems.
- Are kept current,
- Perform periodic scans
- Generate audit logs which are retained per PCI DSS Requirement 10.7.
Change: Reformulation + Split + amendment
4.0 - 5.3.1The anti-malware solution(s) is kept current via automatic updates.
4.0 - 5.3.2The anti-malware solution(s):
- Performs periodic scans and active or real-time
- Performs continuous behavioral analysis of systems or processes.
4.0 - 5.3.5 Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.
4.0 - 5.1.1 All security policies and operational procedures that are identified in Requirement 5 are:
- Kept up to date.
- In use.
- Known to all affected parties.
4.0 - 5.1.2 Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood.
4.0 - 220.127.116.11 The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
4.0 18.104.22.168 If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Note: This requirement requires a target risk assessment to establish a frequency for traditional scanning. QSAs will want to see documented analysis within the TRA and the organizations’ ability to demonstrate the frequency stated has been followed.
4.0 - 5.3.3 For removable electronic media, the anti- malware solution(s):
- Performs automatic scans of when the media is inserted, connected, or logically mounted,
- Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.
- Modern anti-malware systems will perform behavioral analysis of any file executed regardless of storage location. Organizations must ensure that traditional anti-virus/malware systems are configured to immediately scan removable media when it is inserted or mounted.
- Most anti-malware solutions can be configured to scan removable media, though the functionality is usually disabled by default due to user experience implications; scanning a large USB drive with many files can take substantial time, and be quite inconvenient.
- Organizations using a continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted are not required to enable an automatic scan of media upon insertion, connection, or logical mounting.
4.0-5.4.1 Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.
- These processes and mechanisms must be more than simple warnings about potential phishing. The requirement is for processes and automated mechanisms that cannot just detect phishing attempts but will actually protect end-users.
- This controls requires actions probably on email servers even if those are outside the PCI CDE. There are solutions out there today, and some cloud-based solutions like Gmail and Microsoft Defender for Office365 already have anti-phishing options included.