FAQ #1051 Diff
Is application whitelisting a suitable compensating control to meet Requirement 5?
Earlier Version
Later Version
Removed
Added
Whether a particular whitelisting implementation can meet PCI DSS Requirement 5 will depend on the specific implementation. The Councilintent of Requirement 5 is lookingto detect, remove and protect system components from all forms of malware. Therefore, a solution that meets all aspects of Requirement 5, including the detection, removal and protection from malware, may be acceptable.
While additional anti-malware solutions may supplement the anti-virus software, many whitelisting solutions are not capable of meeting the “detection and removal” aspects of Requirement 5, and do not replace the need forequivalent controls that addressanti-virus software to be in place. This is due to the risk that, without proper anti-virus software, known viruses and other malware andcould potentially propagate undetected within an environment. For a whitelisting solution to be considered an adequate control, it must meet all types of threats referenced in Requirement 5, which are often found in traditional anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.the sub-requirements under Requirement 5.
While additional anti-malware solutions may supplement the anti-virus software, many whitelisting solutions are not capable of meeting the “detection and removal” aspects of Requirement 5, and do not replace the need for
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.