Diff: FAQ #1051
Is application whitelisting a suitable compensating control to meet Requirement 5?
Earlier Version
2009-10-27 00:00:00 UTC
2009-10-27 00:00:00 UTC
Later Version
2015-07-29 17:13:00 UTC
2015-07-29 17:13:00 UTC
Removed
Added
Whether a particular whitelisting implementation can meet PCI DSS Requirement 5 will depend on the specific implementation. The Council is looking for intent of Requirement 5 is to detect, removalent controls that address malware and all te and protect sypes of threats referenced instem components from all forms of malware. Therefore, a solution that meets all aspects of Requirement 5, which are often found in traditionalincluding the detection, removal and protection from malware, may be acceptable.
While additional anti-malware solutions may supplement the anti-virus solutionsftware, many whitelisting solutions are not capable of meeting the “detection and removal” aspects of Requirement 5, and do not replace the need for anti-virus software to be in place. If another tThis is due to the risk that, without proper anti-virus software, known viruses and other malware could potentiallype of solution (application whitelistin propagate undetected within an environment. For a whitelisting solution to be considered an adequate control, for example) addresses the identical threats with a different methodology than a signatureit must meet all the sub-based approach, it may still be acceptable to meet the requirements under Requirement 5.
While additional anti-malware solutions may supplement the anti-virus so