PCI Council Views on Application Whitelisting

Recently the PCI Security Standards Council released an FAQ that mentions how “application whitelisting” can be used as a compensating control for antivirus under some situations.
The exact text of the FAQ is:
“The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.”
Some application whitelisting vendors are applauding the council’s statement and calling this a big step in the right direction and believe that this is a big win for the industry.
This is a step in the right direction, but a lot needs to change in order to get people to believe that compliance is a path to security. The PCI DSS 1.2 standard mandates the use of antivirus, which at the time the standard was released was cutting edge technology. Nothing better was available for security at that time.
Now the PCI Standards Council plans to add a new technology–Application Whitelisting–that can offer security on top of, or in lieu of, antivirus. However, the discussion is still about technologies.
Security standards like PCI should talk more about security requirements rather than technologies. For example, they should be writing requirements (continue reading...)