Payment Card Industry (PCI) Data Security Standards Practice Test

Which of the following anti-virus software configurations meets PCI DSS requirements?

• A. Anti-virus updates are performed as part of the quarterly vulnerability scanning process
• B. Anti-virus software is disabled when not in use, and enabled upon user request
• C. Systems not commonly affected by malicious software are periodically reviewed to verify anti-virus is not required
• D. Logs of anti-virus software are securely deleted on a quarterly basis

The correct answer is: Systems not commonly affected by malicious software are periodically reviewed to verify anti-virus is not required

The correct response addresses the requirement of PCI DSS to ensure that systems potentially exposed to malware are protected. While the option chosen suggests that systems not commonly affected by malicious software can be reviewed to verify that anti-virus is unnecessary, this does not align with PCI DSS mandates. PCI DSS emphasizes that all systems should be protected against malware and that anti-virus software must be installed and operational on all systems that are at risk. In a compliant environment, anti-virus software should be routinely monitored and maintained across all systems, regardless of perceived risk levels. This option implies a potentially lax approach to security management, which may undermine the overall integrity of the system. In contrast, effective configurations complying with PCI DSS would ensure consistent implementation and management of anti-virus solutions to minimize the threat of malware across all applicable systems. Specifically, the ideal scenario would be one where anti-virus software is always enabled, subject to regular updates, and logging is maintained securely rather than deleted.