Ian Forde <ian at duckland.org> wrote: >> Yep - on the wikipedia page you referenced, look in the "Requirements" section, section 5. It says: "Use and regularly update anti-virus software on all systems commonly affected by malware" << I doubt Amos's QSA is using Wikipedia as his reference, unfortunately. The PCI DSS Ver 1.2 standard (of Oct. 2008 - get it from https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html) actually states: 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). but then goes on, under "Testing Procedures" to state: 5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. Unfortunately, both open-source and commercial anti-virus software that will run on Centos do exist, which gives the assessor some wiggle-room. Even worse, the Summary of Changes from 1.1 to 1.2 says: Requirement & Testing Procedure: Clarified requirement applies to all operating systems types commonly affected by malicious software, if applicable anti-virus technology exists. Besides use of the term "anti-virus software", changed the term "virus" to "malicious software". Deleted note stating "Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes." That last sentence is a killer, unfortunately - it means they have been tightening up on *ix systems. Looks like you could be in for a battle if the QSA is an intransigent sort. You could argue that while anti-virus programs do exist, their purpose is to detect infected files which could harm connected Windows systems, and are therefore not applicable in your specific case, particularly since you are using proprietary protocols and not running Windows file-sharing software (e.g. Samba, FTP, etc.) It really comes down to whether your Assessor is clueful, or a box-ticking droid. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909