According to PCI DSS Requirements, anti-virus software must be:

The requirement that anti-virus software must be installed on systems commonly affected by malware aligns with PCI DSS guidelines, which emphasize the importance of protecting cardholder data and ensuring that all systems vulnerable to malware are adequately secured.

This means that organizations are required to identify systems that could potentially be targeted by malware attacks due to their nature or the software they run, such as workstations, servers, and any other systems that process sensitive information. By focusing on systems that are susceptible, organizations can deploy anti-virus solutions strategically to mitigate risk effectively. This proactive approach aids in detecting, preventing, and removing malware, thus reinforcing the security posture of the organization.

Although anti-virus software can also be installed on other devices and systems, such as mobile devices or transactional systems, the PCI DSS specifically emphasizes the importance of covering systems that are most likely to encounter malicious software. This broadens the security measures in place beyond just transactional frameworks, encouraging a more comprehensive protection strategy against potential threats.