PCI-DSS places significant emphasis on proactive vulnerability management and regular security testing. Requirements 5, 6, and 11 collectively address anti-malware protection, secure development, vulnerability scanning, and penetration testing.

Requirement 5: Anti-Malware

All systems commonly affected by malicious software must have anti-malware solutions that:

  • Detect and remove all known types of malicious software
  • Perform periodic scans and real-time (on-access) scanning
  • Generate audit logs and retain them per Requirement 10.7
  • Cannot be disabled or altered by users (unless specifically documented and authorised on a case-by-case basis with time-limited approvals)
  • Include anti-phishing mechanisms to detect and protect against phishing attacks (new in v4.0.1)

Requirement 6: Secure Development

Organisations must develop and maintain secure systems and software:

  • Patch management — Install critical security patches within one month of release; high and medium patches within an appropriate timeframe based on risk ranking
  • Secure development lifecycle — Develop software based on industry standards and/or best practices, incorporating security throughout the SDLC
  • Code review — Public-facing web applications must be protected by either manual/automated code review before release or by deploying a web application firewall (WAF)
  • Change control — All changes to system components must follow a change management process with impact analysis, approval, testing, and rollback procedures
  • Training — Development personnel must receive training on secure coding at least annually, covering common vulnerabilities (OWASP Top 10, CWE Top 25)

Requirement 11: Security Testing

Regular testing ensures that security controls remain effective:

Quarterly ASV Scans (Requirement 11.3.2)

External vulnerability scans must be performed quarterly by an Approved Scanning Vendor (ASV):

  • Scans must cover all externally accessible (internet-facing) IP addresses and domains
  • A passing scan has no vulnerabilities scored 4.0 or higher on CVSS
  • Failing scans must be remediated and re-scanned until a passing result is achieved
  • Four quarterly passing scans within 12 months are required for initial compliance

Internal Vulnerability Scanning (Requirement 11.3.1)

Internal vulnerability scans must be performed:

  • At least quarterly and after any significant change to the environment
  • All high-risk and critical vulnerabilities (per the entity's vulnerability risk rankings) must be resolved
  • Rescans must be performed to verify remediation

Penetration Testing (Requirement 11.4)

Penetration testing must be performed:

  • Annually for merchants; every six months for service providers
  • Test from both inside and outside the network
  • Test both the network layer and the application layer
  • Include segmentation testing to validate that out-of-scope systems are isolated
  • After any significant infrastructure or application changes
  • By a qualified internal resource or external third party (must be organisationally independent)

Application Security Testing (Requirement 6.2)

Custom and custom-code applications must be reviewed for vulnerabilities:

  • Manual or automated application vulnerability security assessment tools or methods
  • Testing before release and after significant changes
  • Coverage of OWASP Top 10 and CWE Top 25 vulnerabilities

Tracking Assessments in Venvera

The Vulnerability Management module tracks all security assessments with the following information:

  • Assessment type — Vulnerability scan, penetration test, ASV scan, application scan, or segmentation test
  • Provider — The ASV, pen test firm, or internal team performing the assessment
  • Scan/test dates — When the assessment was performed and when the next one is due
  • Pass/fail status — Whether the assessment result meets PCI-DSS requirements
  • Findings breakdown — Critical, high, medium, and low findings counts
  • Remediation deadline — Target date for resolving identified vulnerabilities