Back

Lock antivirus configurations.


CONTROL ID
10047
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a malicious code protection program., CC ID: 00574

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Examine the anti-virus configurations, including the master installation and a sample of system components, to verify users cannot alter or disable the anti-virus software. (Testing Procedures § 5.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel and observe processes to verify users cannot alter or disable anti-virus software, unless specifically authorized by management for a limited time. (Testing Procedures § 5.3.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Anti-virus mechanisms must be actively running and must not be disabled or altered by users, unless specifically authorized by management for a limited time period. (PCI DSS Requirements § 5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. (5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. (5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. (5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are all anti-virus mechanisms: - Actively running? - Unable to be disabled or altered by users? (5.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users. (5.3.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. (5.3.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. (5.3.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine anti-malware configurations, to verify that the anti-malware mechanisms cannot be disabled or altered by users. (5.3.5.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are all anti-virus mechanisms actively running? (PCI DSS Question 5.3 Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms unable to be disabled or altered by users? (PCI DSS Question 5.3 Bullet 2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms actively running? (PCI DSS Question 5.3 Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms unable to be disabled or altered by users? (PCI DSS Question 5.3 Bullet 2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms actively running? (PCI DSS Question 5.3 Bullet 1, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms unable to be disabled or altered by users? (PCI DSS Question 5.3 Bullet 2, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms actively running? (PCI DSS Question 5.3 Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are all anti-virus mechanisms unable to be disabled or altered by users? (PCI DSS Question 5.3 Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are all anti-virus mechanisms actively running? (PCI DSS Question 5.3 Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are all anti-virus mechanisms unable to be disabled or altered by users? (PCI DSS Question 5.3 Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. (5.3.5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. (5.3.5, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. (5.3.5, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. (5.3.5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. (5.3.5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)