“The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional Anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.”
The PCI DSS 1.2 standard mandates the use of Antivirus technology, which at the time the standard was published was cutting-edge technology.
A lot has changed since then.
The Operation Aurora zero-day attacks and the Zeus botnet revealed that existing security platforms that use Antivirus and HIPS (host intrusion prevention) are not able to stop these attacks. There were no signatures or behavioral patterns available to stop these attacks. And the patch from Microsoft came days later. Germany went as far as to recommend that its citizens not use Microsoft Internet Explorer until the vulnerability was fixed because they were keenly aware that existing security defenses were not able to stop it. It has become clear that Anti-virus and HIPS are no longer cutting-edge technology.
Now the PCI Standards Council plans to add a new technology – Application Whitelisting-that can offer security in lieu of Antivirus. In fact many retailers are already using Application Whitelisting in lieu of Antivirus. There are many cases where Antivirus, with its constant need for updates and inability to keep up with the latest threat, is not the right technology.
We applaud the inclusion of Application Whitelisting in the PCI requirements. We are seeing similar inclusion of Application Whitelisting (and Application Control) requirements in the Government through NIST and CAG (Consensus Audit Guidelines).We also believe that this is an area where the Council can talk about security requirements in general and the end goal. This end goal – protecting the endpoints – is the key for our customers. For example, the discussion could be based on a requirement that: Mandates use of endpoint technologies that protect against known and unknown malware attacks – including Advanced Persistent Threats.
Application Whitelisting, as we have seen from the recent analyst research from Gartner, does just this.