In June 2024, the Payment Card Industry (PCI) Security Standards Council released version 4.0.1 of the PCI Data Security Standards (PCI DSS) detailing numerous best practices which organizations that store and process payment card information should implement. PCI DSS outlines the ways in which compliant organizations must store and process information, including when that data is stored on the cloud. With cloud storage and the popularity of online payments expanding, modern organizations must understand how they can remain compliant and trustworthy to end users and customers. As of April 1st, 2025, these new “best practices” become mandatory and are within scope of audit for continued compliance.
Background
Research from the SANS Institute shows that 22.4% of organizations store customer card information in public cloud environments. Fewer than half of all organizations can assure customers and end users that they have not lost protected cloud data in the last 12 months.
Protected data includes primary account numbers (PANs), cardholder names, expiration dates, CVV codes, PINs and more. The PCI DSS 4.0.1 considers the entire cardholder data environment (CDE), even if processed and stored in the cloud, as within its scope and subject to regulation.
Meeting Malware Scanning Requirements
PCI DSS Requirement 5 mandates organizations to “Protect All Systems and Networks from Malicious Software”. This includes cloud storage and any system or process that interacts with the defined CDE. Further, PCI DSS mandates that a satisfactory anti-malware solution “Detect[s] all known types of malware AND removes, blocks, or contains all types of malware.” (PCI DSS Requirement 5.2.2).
The coverage and frequency of scanning provided are crucial factors when evaluating malware scanning solutions that may satisfy this requirement for your organization. To scan all storage repositories within the defined CDE, a solution that provides support for multiple cloud platforms, alongside individual services within those platforms, may be necessary. PCI DSS Requirement 5.3.2 takes malware scanning a step further by mandating “The deployed anti-malware solution(s): Perform periodic scans and active or real-time scans”. The ability to scan existing data on a scheduled basis and run event-based scanning may be required when selecting a solution to satisfy this requirement.
Cloud Storage Security’s (CSS) malware scanning solution provides customers with the ability to scan Amazon S3, Amazon EFS, Amazon EBS, Amazon FSx, Microsoft Azure Blob, and Google Cloud Storage resources for malware on an event-based and scheduled basis.
While it is not focused on in the PCI DSS v4.0.1, organizations should consider solutions that enable easy submissions of scanning reports to auditors checking for compliance. All activities taken by Cloud Storage Security’s malware scanning solution, are logged and easily exported in .csv format. This information includes timestamps, the volume of data scanned, number of objects scanned, and information on malicious files discovered, if applicable.
Figure 1. Scan Results exported into a .csv format detailing the number of objects scanned per bucket.
About Cloud Storage Security
Cloud Storage Security (CSS) is committed to securing cloud storage environments against cyber threats. Our advanced malware detection solutions safeguard organizations from ransomware and other security risks, preserving the integrity of cloud-stored data. Contact a subject matter expert today to take advantage of an unlimited, flat-rate license that could help your organization satisfy PCI DSS v4.0 requirements.
Copyright © 2025 Cloud Storage Security. All rights reserved. The information in this document is subject to change at any time based on revisions by applicable regulations and standards. Any forward looking statements are not predictions and are subject to change without notice. Cloud Storage Security is not responsible for any errors or omissions. Cloud Storage Security is not providing advice or guidance with respect to any regulatory framework and is not responsible for violations as a result of any information contained.
Share:
