Whitelisting pushing out antivirus at some security-minded retailers

The influential Payment Card Industry (PCI) rules call for use of antivirus software to protect debit and credit cards, but some retailers have found a substitute that's been accepted in place of it: whitelisting technology.

Application whitelisting works on a host computer to prevent unauthorized applications from running. The official PCI rules published by the PCI Security Standards Council don't include any mention of it, but some merchants and retailers are saying that their PCI-certified auditors are signing off on whitelisting as a substitute for antivirus software, which is giving them what they say is a needed A/V break.

BIG LIST: Most Powerful IT Security Players

"We started out with antivirus," says Bruce Snyder, manager of IT retail operations at Lacrosse, Wis.-based convenience store chain Kwik Trip, which has 436 locations. But on the store's point-of-sale (POS) systems in particular, running antivirus turned out to be hugely resource-intensive, enough so that it was even slowing down POS devices and impacting customer service.

Kwik Trip decided to try whitelisting technology -- its vendor is Bit9 -- as a substitute for antivirus since whitelisting should stop malware from executing. But as a sizeable "Level 1" retailer in the PCI-compliance world, Kwik Trip needed to have its PCI qualified security assessor (QSA), McGladrey, sign off on the change. The PCI auditor did, approving whitelisting as a substitute for antivirus. "They allowed us to do that, to replace A/V with whitelisting as a 'compensating control,'" Snyder says.

Today, Bit9 software is running only on Kwik Trip's POS terminals, but will be extended to store PCs by the end of next year, Snyder says. He adds that he hopes the PCI Council considers broadening the data-security rules to include whitelisting in the future.

Another large retailer and Bit9 customer, Louisville, Ky.-based Thorntons, had a similar experience related to PCI compliance in its convenience stores. And its PCI QSA, Trustwave, also gave the thumbs-up to whitelisting, says Jeffrey O'Gara, network administrator there. Traditional A/V was difficult to maintain with the updates, and more megabytes to run, than whitelisting, he says.

The PCI Security Standards Council did not provide anyone to discuss whitelisting, but a spokeswoman noted: "If another type of solution addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement."

Forrester analyst Chenxi Wang says it's not that common to hear about retailers subject to PCI rules using whitelisting as an approved substitute for A/V, but this phenomenon is occurring a lot outside the PCI-focused world.


Even though antivirus software is still widely used, there's increasing skepticism about the value of antivirus to prevent malware infections, Wang says. "If you ask them, 'do you use A/V today,' they say 'yes.' But if you ask them how effective it is, they all say A/V hasn't worked in a long time."

The downside of whitelisting has often been considered the difficulty in updating legitimate applications, but Wang says that this issue is fading as whitelisting products have gotten better. "It's not that much of a burden on the user experience," she says.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place