Microsoft Entra ID and PCI-DSS Requirement 5

Requirement 5: Protect All Systems and Networks from Malicious Software
Defined approach requirements

5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
5.1.1 All security policies and operational procedures that are identified in Requirement 5 are:
Documented
Kept up to date
In use
Known to all affected parties
Use the guidance and links herein to produce the documentation to fulfill requirements based on your environment configuration.
5.1.2 Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood. Use the guidance and links herein to produce the documentation to fulfill requirements based on your environment configuration.

5.2 Malicious software (malware) is prevented, or detected and addressed.

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
5.2.1 An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components aren't at risk from malware. Deploy Conditional Access policies that require device compliance. Use compliance policies to set rules for devices you manage with Intune
Integrate device compliance state with anti-malware solutions. Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune
Mobile Threat Defense integration with Intune
5.2.2 The deployed anti-malware solution(s):
Detects all known types of malware. Removes, blocks, or contains all known types of malware.
Not applicable to Microsoft Entra ID.
5.2.3 Any system components that aren't at risk for malware are evaluated periodically to include the following:
A documented list of all system components not at risk for malware.
Identification and evaluation of evolving malware threats for those system components.
Confirmation whether such system components continue to not require anti-malware protection.
Not applicable to Microsoft Entra ID.
5.2.3.1 The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. Not applicable to Microsoft Entra ID.

5.3 Anti-malware mechanisms and processes are active, maintained, and monitored.

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
5.3.1 The anti-malware solution(s) is kept current via automatic updates. Not applicable to Microsoft Entra ID.
5.3.2 The anti-malware solution(s):
Performs periodic scans and active or real-time scans.
OR
Performs continuous behavioral analysis of systems or processes.
Not applicable to Microsoft Entra ID.
5.3.2.1 If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. Not applicable to Microsoft Entra ID.
5.3.3 For removable electronic media, the anti-malware solution(s):
Performs automatic scans of when the media is inserted, connected, or logically mounted,
OR
Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.
Not applicable to Microsoft Entra ID.
5.3.4 Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. Not applicable to Microsoft Entra ID.
5.3.5 Anti-malware mechanisms can't be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. Not applicable to Microsoft Entra ID.

5.4 Anti-phishing mechanisms protect users against phishing attacks.

PCI-DSS Defined approach requirements Microsoft Entra guidance and recommendations
5.4.1 Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. Configure Microsoft Entra ID to use phishing-resistant credentials. Implementation considerations for phishing-resistant MFA
Use controls in Conditional Access to require authentication with phishing-resistant credentials. Conditional Access authentication strength
Guidance herein relates to identity and access management configuration. To mitigate phishing attacks, deploy workload capabilities, such as in Microsoft 365. Anti-phishing protection in Microsoft 365

Next steps

PCI-DSS requirements 3, 4, 9, and 12 aren't applicable to Microsoft Entra ID, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: Official PCI Security Standards Council Site.

To configure Microsoft Entra ID to comply with PCI-DSS, see the following articles.