Q

How Windows XP end of life conflicts with PCI DSS requirement 6.2

Expert Mike Chapple explains why companies running Windows XP will have trouble meeting PCI DSS requirement 6.2 after the Windows XP end-of-life date.

I work for a regional retailer, and we still utilize Windows XP machines throughout most of the organization. Our IT team has tried to convince higher-ups of the need to migrate to newer OSes, but they frankly don't seem to care, as long as the machines they have are still functioning. We process millions of card transactions a year, so we're obviously subject to PCI DSS requirements. I'm curious how Windows XP reaching end-of-life...

status will impact our PCI compliance status. Will it matter to a QSA that we're running XP machines, and if so, is there a way to stay compliant, particularly after XP updates end in 2014?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

If an organization continues to run the Windows XP operating system after Microsoft's end-of-life date of April 8, 2014, it will no longer be compliant with the Payment Card Industry Data Security Standard (PCI DSS). If an enterprise has not already begun making plans to upgrade or replace its systems running XP, now is the time to do so.

Why is this the case? Consider what it means for Windows XP to reach its end-of-life date, including this statement Microsoft makes on its Windows XP end-of-life website: "After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates." Basically, the company will no longer actively pursue identifying or correcting security vulnerabilities in Windows XP.

Now, contrast Microsoft's stance with organizations' obligations under PCI DSS requirement 6.2: "Ensure that all system components and software are protected from known vulnerabilities by installing applicable, vendor-supplied security patches. Install critical security patches within one month of release." As soon as the first new XP vulnerability is discovered after April 8, an organization will automatically be out of compliance with PCI DSS because it will likely be unable to ensure that its systems are protected against a potential exploit.

Originally released in August 2001, Windows XP is now over 12 years old. Come April, there will be no way to responsibly run Windows XP on a system that is connected to any kind of network. Also, the security measures introduced in Windows 7 and Windows 8, including upgraded versions of Address Space Layout Randomization and SmartScreen Filter, as well as the addition of Secure Boot, are too great to ignore. Simply put, it's time enterprises let go of XP.

This was first published in January 2014

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close