I work for a regional retailer, and we still utilize Windows XP machines throughout most of the organization. Our...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
IT team has tried to convince higher-ups of the need to migrate to newer OSes, but they frankly don't seem to care, as long as the machines they have are still functioning. We process millions of card transactions a year, so we're obviously subject to PCI DSS requirements. I'm curious how Windows XP reaching end-of-life status will impact our PCI compliance status. Will it matter to a QSA that we're running XP machines, and if so, is there a way to stay compliant, particularly after XP updates end in 2014?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
If an organization continues to run the Windows XP operating system after Microsoft's end-of-life date of April 8, 2014, it will no longer be compliant with the Payment Card Industry Data Security Standard (PCI DSS). If an enterprise has not already begun making plans to upgrade or replace its systems running XP, now is the time to do so.
Why is this the case? Consider what it means for Windows XP to reach its end-of-life date, including this statement Microsoft makes on its Windows XP end-of-life website: "After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates." Basically, the company will no longer actively pursue identifying or correcting security vulnerabilities in Windows XP.
Now, contrast Microsoft's stance with organizations' obligations under PCI DSS requirement 6.2: "Ensure that all system components and software are protected from known vulnerabilities by installing applicable, vendor-supplied security patches. Install critical security patches within one month of release." As soon as the first new XP vulnerability is discovered after April 8, an organization will automatically be out of compliance with PCI DSS because it will likely be unable to ensure that its systems are protected against a potential exploit.
Originally released in August 2001, Windows XP is now over 12 years old. Come April, there will be no way to responsibly run Windows XP on a system that is connected to any kind of network. Also, the security measures introduced in Windows 7 and Windows 8, including upgraded versions of Address Space Layout Randomization and SmartScreen Filter, as well as the addition of Secure Boot, are too great to ignore. Simply put, it's time enterprises let go of XP.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.