Which statement describes the requirement for malware protection on systems?

Protecting all systems from malware while keeping the antivirus software up to date is what PCI DSS requires. The idea is to have active anti-malware protection on every system that could be affected by malware—desktops, servers, and other devices in the environment that handle cardholder data—and to keep the protection current with the latest virus definitions. Without broad coverage, some devices could harbor malware or become a gateway for breaches. Regular updates are crucial because new threats appear constantly, and outdated definitions can miss them. Limiting the requirement to servers, claiming antivirus is optional, or restricting it to Linux ignores other vulnerable devices and operating systems, which is why those options don’t fit. So the statement that covers all systems and requires up-to-date antivirus best reflects the PCI DSS expectation.