Frequently Asked Question
Can application whitelisting be used to meet PCI DSS Requirement 5?
Whether a particular whitelisting implementation can meet PCI DSS Requirement 5 will depend on the specific implementation. The intent of Requirement 5 is to detect, remove and protect system components from all forms of malware. Therefore, a solution that meets all aspects of Requirement 5, including the detection, removal and protection from malware, may be acceptable.
While additional anti-malware solutions may supplement the anti-virus software, many whitelisting solutions are not capable of meeting the “detection and removal” aspects of Requirement 5, and do not replace the need for anti-virus software to be in place. This is due to the risk that, without proper anti-virus software, known viruses and other malware could potentially propagate undetected within an environment. For a whitelisting solution to be considered an adequate control, it must meet all the sub-requirements under Requirement 5.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?