sub-requirement 5.1.1 that requires anti-virus software to detect, remove and protect against spyware and adware

Why would a POS of sale system that run windows need A/V or spyware protection?

They do not have any access out to websites or email.
the only app they run is POS software.

Any Windows system that is on a network is susceptible to attack and infection from other systems on the same network. So, you definitely need anti-virus software to protect your POS environment from virus, worm, Trojan, et.al. infection.

As long as users are not using a browser for your POS application or providing POS Internet access, I would agree with your statement about anti-spyware. However, if you are using browser-based applications, even internally, I would still recommend an anti-spyware solution as a safety measure as someone could insert spyware into your own, internal Web-based application.

The key is protecting systems from compromise, or in this case infection from viruses. Just because your internal systems are not directly connected to the Internet does not mean you do not install AV.

But, if you can show that your POS systems are not suceptable to attack then you would not need to install AV on them. The requirement specifically states, "systems commonly affected by viruses".

Hello all.

We are planning to deploy handhelds for inventory scanning purposes in
Retail brick and mortar environment. They will run either Windows Mobile 6
or Windows CE. They are not wireless capable and will synch with the back office system (which does have credit card data on it, in encrypted format for a short period of time, then hashed). These will synch for inventory requirements either via USB or ethernet connection while cradled. They will not transfer/store/process credit card data. Do we need to run anti-virus on these systems? The back office system does run all the required anti-virus with malware/spyware protection, file integrity monitoring, event log monitoring, etc.

If we can choose not to run anti-virus on these devices, it would be a huge
win for us, just in terms of support, updating, etc. Are there compensating controls that can be used instead if it truly is a requirement?

Thanks

If these devices:
* do not have any other connections to any other networks/systems/memory devices (eg usb sticks, SD cards, etc),
* do not themselves store/process/transmit credit card data, and
* the only connections they can have is to systems that have all required PCI controls
Then I see no value in running A/V software on them. Such software would only protect against signatures for that OS anyway (ie WinCE), and so if these devices were being used as an infection carrier to gain a beachhead into the CHD environment, it is quite possible that any installed A/V would not have the correct signatures to detect malware targetting the back office system.

If these devices:
* do not have any other connections to any other networks/systems/memory devices (eg usb sticks, SD cards, etc),
* do not themselves store/process/transmit credit card data, and
* the only connections they can have is to systems that have all required PCI controls
Then I see no value in running A/V software on them. Such software would only protect against signatures for that OS anyway (ie WinCE), and so if these devices were being used as an infection carrier to gain a beachhead into the CHD environment, it is quite possible that any installed A/V would not have the correct signatures to detect malware targetting the back office system.

Thank you very much!