TABLE OF CONTENTS



What is Vulnerability Management?

  • This is a process of systematically and continuously finding weak points within the payment card infrastructure.
  • This includes:
    • Security procedures
    • System design
    • Implementation
    • Internal controls that have exploitable weaknesses to violate a security policy/

Back to top


Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Malicious software("malware") exploits system vulnerabilities. These can be entered into a users network via multiple sources. The common are e-mail and business activities. Anti-virus software must be used on systems commonly affected by malware.


  • What is involved in this requirement?
    • Deploy anti-virus software on all systems commonly vulnerable for malware.
      • Systems that do not commonly get affected will need periodic evaluations to evaluate evolving threats and ensure system will not require anti-virus software.
    • Ensure that all anti-virus mechanisms are kept current, perform periodic scans, and generate audit logs.
    • Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users.
      • Case-by-case scenarios can allow specific users to have a limited time of authorization
    • Ensure that related security policies and procedures are documented, in use and known to all parites.

Back to top


Requirement 6: Develop and maintain secure systems and applications

Vulnerabilities within systems may allow criminals to access PAN and other cardholder data. The installation of vendor-provided security patches, which perform quick repair jobs for code can help eliminate these vulnerabilities.


  • What is involved in this requirement
    • Establish a process to identify vulnerabilities. 
      • Use reputable sources
      • Assign Risk rankings (high, medium, low) to new vulnerabilities
    • Protect all components and software from known vulnerabilities
      • Install vendor-supplied security patches
      • install critical security patches within one month of release
    • Develop internal and external applications for accessing applications in accordance with PCI DSS and industry best practices.
    • Follow change control processes and procedures for all system components.
    • Prevent common coding vulnerabilities during software development by training developers in secure coding techniques.
    • Ensure public-facing applications are secure and protected from known attacks.
      • Install an automated technical solution that detects and prevents web-based attacks.
    • Ensure that security policies and operational procedures are documented.

Back to top


Additional Resources and Help!

Still have questions? Please contact us any time at support@ezsoftpos.com.


NOTE: If emailing, please include your business name in the subject line of the email

and provide your preferred contact information for the best response time.


Visit our help center Help Center for more guides and tutorials