Malicious software, or malware, includes but is not limited to viruses, worms, trojans and rootkits.
Thus any system vulnerable to malicious software, or malware, needs to have protective software installed, be centrally managed and end-users should not be able to disable them as a general rule.
As an alternative to anti-malware, we find application whitelisting solutions, which allows only vetted applications (generally because they are signed using cryptographic keys) to run, thus preventing (unsigned) malware from running. Application whitelisting may also be less resource intensive on systems. As always, no technology is a perfect solution, which is why we have to maintain multiple layers of controls.
The one part of requirement 5 that may get a different interpretation is that it applies to "commonly affected by malicious software" (5.1.2). Generally, this has been taken to mean any end-user general purpose operating system such as all versions of Microsoft Windows, Apple's Mac OSX and some desktop usage of Linux. Windows is the one most people think about as it has been targeted more than others since it represents the standard in the business world. Whatever definition you decide to use internally, a new requirement introduced in PCI DSS 3.0 requires that the organization re-evaluate periodically (at least annually) whether these excluded systems warrant the use of anti-malware software (5.1.2) (Windows cannot be considered not affected). For example, an organization that uses Linux or OSX as a desktop may (not necessarily should) consider these to not be commonly affected by malware. It would still need to review whether that claim stands up. Remember that humans (who will use these computers) are often the weakest link in the security chain.
- Section 3.7.5 of Volume 3