This question may fall under DSS as well. The question I have pertains to the following statement.

"Implementation of security devices. At a minimum, the following must be running per PCI DSS requirements: Firewall or traffic devices, NAT, PAT, AV and encryption."

If our environment is purely Linux, is it necessary to run AV? The payment system is on its own VLAN and is protected using IP Tables so end User traffic would be completely separate and go over different ports.

PCI DSS 5.1 states
"Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers)
Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes."

While on face value Linux is currently relatively free from virus risks, this may change. Thus, AV is probably not necessary on the Linux platform for now.
On the other hand, OSX from Apple is based on a *nix variant but is susceptible to malware and virus style attack, so monitor for changes to the Linux virus risk (or ask your auditor this question).

My reading of the PABP requirement is that the solution must work without interfering with "Firewall or traffic devices, NAT, PAT, AV and encryption" that would be reasonably expected configured/installed in a customer installation.

Lyal

To say that Linux is relatively free from viruses is a misrepresentation. While in recent times, the number of viruses for Linux has been almost nil. There are still tons of viruses running around on the Internet for Linux implementations.

UNIX variants that are relatively safe from viruses are UNIX System V, Solaris, SunOS, AIX and HP-UX. However, this could change overnight.

And don't forget about issues with portable environments such as Java which has been an attack vector in recent months. These so called "safe" environments run Java and could be affected by a Java attack.

We recommend ClamAV for Linux and Mac OS X implementations. ClamAV is open source, so it can be compiled and run on other variants. But it could also require some tweaking to run correctly and/or effectively.

Lyalc is correct in that, the assessor and company must decide where anti-virus and anti-malware programs should be applied, based on risk.