Requirement 5 - Protect All Systems and Networks from Malicious Software

Requirement 5 of PCI DSS 4.0 mandates that all system components handling cardholder data employ active malware protection, including anti-virus or anti-malware tools that are continuously updated, configured to run real-time scanning, and capable of detecting and removing malicious code. Organizations must also maintain processes to verify that protective mechanisms are operating effectively, conduct regular vulnerability scans, and ensure that any identified malware is promptly investigated and remediated.