We often hear how a company was compromised by a sophisticated attack. This characterization contains all the romantic thrill of a spy movie, but it is usually not how most companies are victimized. Most breaches usually happen as a result of malware entering the environment. The need to protect against malware is addressed in progressive degrees in Requirement 5 of the new 4.0 version of the Payment Card Industry Data Security Standard (PCI DSS).
Ian Thornton-Trump, who has experience in both military intelligence, as well as corporate environments, sees profound impacts from the new requirement. Requirement 5 is titled: “Protect All Systems and Networks from Malicious Software.” This requirement flows along the same path as the previous version of the Standard, however, the PCI Security Standards Council (SSC) also anticipates that attackers are going to move to more targeted, as well as automated methods. This requires a similar, targeted and automated response to protect organizations.