Part 5: Road Map to PCI

Welcome to another installment of the PCI Road Map to Compliance!

This week, we are moving into the third area of focus in the Data Security Standards, “Maintain a Vulnerability Management Program.” There are two requirements that must be met in order to successfully Maintain a Vulnerability Management Program, and this post aims to help you understand how to meet the first of these two requirements.

Anti-Virus Software

Requirement 5 of the PCI Data Security Standards states the need to “Use and Regularly Update Anti-Virus Software.” Hopefully your organization already uses Anti-Virus and understands that having Anti-Virus enabled on computers should be a force of habit. In the professional world it is should be mandatory. It is likely that Anti-Virus software is already installed on your computers, but if you’re unsure,  you’ll need to find out.

Do I Have Anti-Virus Software?

If you are unsure whether Anti-Virus software is installed on your computer, check with the team member that manages your computers or a tech-savvy employee. They should be able to tell you which program you use if one is installed.

If you do not have someone in your organization who can tell you this, it is possible to perform a quick and easy check to determine whether or not you have Anti-Virus installed on all of your office computers.

If you are on a Windows machine, click on your Start menu followed by the Control Panel. Under the System and Security section, you can click on “Review your computer’s status”. This will display what you are currently using for Anti-Virus, and if you do not have Anti-Virus, it will let you know and direct you to obtain an Anti-Virus solution.

If you are using an Apple computer, you can check to see if you have Anti-Virus installed by looking for the application on your Dock or in your Applications folder. It is important to note that even if you are using an Apple computer, you do need to have Anti-Virus installed.

The Questions

According to Self Assessment Questionnaire C, just by confirming that you have Anti-Virus installed on all of the machines in the office means you have already completed one of the six questions for this requirement.

The remaining five questions in this requirement are to ensure that the appropriate settings are turned on for your Anti-Virus software, and that it can appropriately identify and protect against all types of malicious software. An “Anti-Virus Policy” should also be created and programs updated on all machines whenever available as required. Automatic updates and scans are required to be turned on for the master installation and any other installations, and the Anti-Virus software should generate and retain Audit Logs.

Depending on the Anti-Virus software that is installed on the machines, these options may or may not be available. It is important to make sure that these features are available when buying Anti-Virus software for computers that are on a network where card data can be entered. In order to determine if the above options are available, a good place to start is the website for the Anti-Virus Software company, such as, where you can learn about the features and contact their support team if needed. Google is always a good bet as well – doing a quick search for “Generate Audit Logs Norton (or any other Anti-Virus)” will round up useful results explaining how to enable the feature.

Anti-Virus Wrap Up

Thankfully, nearly all Anti-Virus software at this time is able to meet the requirements laid forth by the PCI Council, as these have become commonly required features. As far as technical PCI requirements go, this requirement happens to be easier to fulfill than most. Just using the right program can sometimes meet all of the standards within this requirement.

That finishes our look at the 5th requirement of the PCI Data Security Standards to “Use and Regularly Update Anti-Virus Software.” Be sure to check again next month when we look at the final requirement to maintaining a vulnerability management program, “Develop and Maintain Secure Systems and Applications.”

If you have any questions about PCI that you would like to see covered, let us know! You can email us at to share your thoughts or questions which we may then address here on our blog!