In a major step forward for application whitelisting as an important control to meet compliance guidelines, the PCI Security Standards Council has put out the following guideline adjustment regarding the addressing malware.
“The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.”
This is an important step forward for organizations who must meet PCI Data Security Standards (DSS) to prevent malware on their endpoints. Many recent attacks that have led to card holder data theft have involved a wide blend of techniques that featured placing malware on servers and other endpoints. This was certainly the case in the recent data breach involving the Heartland data breach where a variety of malware, backdoors, and packet sniffers were placed on key systems and resulted in the loss of over 130 million credit card numbers.
Application whitelisting would have gone far to thwart these types of threat. By restricting applications that are authorized on a given system, it removes the threat of a hacker using an unpatched vulnerability to place malicious code on the system because that code will not be allowed to run.
We applaud the PCI Security Standards Council for taking this step and moved their standard officially forward to address the serious threat of malware on endpoints. This is something that standards like NERC-CIP have also embraced and will certainly be more prevalent in the future. We are happy to see that our call to action in our recent post “Time For an Update of PCI Anti-Virus Requirements: Take a lesson from NERC CIP” has come to pass so quickly.