I work for a regional retailer, and we still utilize Windows XP machines throughout most of the organization. Our...
IT team has tried to convince higher-ups of the need to migrate to newer OSes, but they frankly don't seem to care, as long as the machines they have are still functioning. We process millions of card transactions a year, so we're obviously subject to PCI DSS requirements. I'm curious how Windows XP reaching end-of-life status will impact our PCI compliance status. Will it matter to a QSA that we're running XP machines, and if so, is there a way to stay compliant, particularly after XP updates end in 2014?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
If an organization continues to run the Windows XP operating system after Microsoft's end-of-life date of April 8, 2014, it will no longer be compliant with the Payment Card Industry Data Security Standard (PCI DSS). If an enterprise has not already begun making plans to upgrade or replace its systems running XP, now is the time to do so.
Why is this the case? Consider what it means for Windows XP to reach its end-of-life date, including this statement Microsoft makes on its Windows XP end-of-life website: "After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates." Basically, the company will no longer actively pursue identifying or correcting security vulnerabilities in Windows XP.
Now, contrast Microsoft's stance with organizations' obligations under PCI DSS requirement 6.2: "Ensure that all system components and software are protected from known vulnerabilities by installing applicable, vendor-supplied security patches. Install critical security patches within one month of release." As soon as the first new XP vulnerability is discovered after April 8, an organization will automatically be out of compliance with PCI DSS because it will likely be unable to ensure that its systems are protected against a potential exploit.
Originally released in August 2001, Windows XP is now over 12 years old. Come April, there will be no way to responsibly run Windows XP on a system that is connected to any kind of network. Also, the security measures introduced in Windows 7 and Windows 8, including upgraded versions of Address Space Layout Randomization and SmartScreen Filter, as well as the addition of Secure Boot, are too great to ignore. Simply put, it's time enterprises let go of XP.
Related Q&A from Mike Chapple
The updated HITRUST Common Security Framework allows organizations to manage privacy, security and compliance with one framework. Here's how it works...continue reading
A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.continue reading
A data breach warranty may seem like a tempting way to survive a costly attack, but it may not be all it's hyped up to be. Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.