Frequently Asked Question
Can application whitelisting be used to meet PCI DSS Requirement 5?
Whether a particular whitelisting implementation can meet PCI DSS Requirement 5 will depend on the specific implementation. The intent of Requirement 5 is to detect, remove and protect system components from all forms of malware. Therefore, a solution that meets all aspects of Requirement 5, including the detection, removal and protection from malware, may be acceptable.
While additional anti-malware solutions may supplement the anti-virus software, many whitelisting solutions are not capable of meeting the “detection and removal” aspects of Requirement 5, and do not replace the need for anti-virus software to be in place. This is due to the risk that, without proper anti-virus software, known viruses and other malware could potentially propagate undetected within an environment. For a whitelisting solution to be considered an adequate control, it must meet all the sub-requirements under Requirement 5.