Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How Windows XP end of life conflicts with PCI DSS requirement 6.2

Expert Mike Chapple explains why companies running Windows XP will have trouble meeting PCI DSS requirement 6.2 after the Windows XP end-of-life date.

I work for a regional retailer, and we still utilize Windows XP machines throughout most of the organization. Our IT team has tried to convince higher-ups of the need to migrate to newer OSes, but they frankly don't seem to care, as long as the machines they have are still functioning. We process millions of card transactions a year, so we're obviously subject to PCI DSS requirements. I'm curious how Windows XP reaching end-of-life status will impact our PCI compliance status. Will it matter to a QSA that we're running XP machines, and if so, is there a way to stay compliant, particularly after XP updates end in 2014?

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

If an organization continues to run the Windows XP operating system after Microsoft's end-of-life date of April 8, 2014, it will no longer be compliant with the Payment Card Industry Data Security Standard (PCI DSS). If an enterprise has not already begun making plans to upgrade or replace its systems running XP, now is the time to do so.

Why is this the case? Consider what it means for Windows XP to reach its end-of-life date, including this statement Microsoft makes on its Windows XP end-of-life website: "After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates." Basically, the company will no longer actively pursue identifying or correcting security vulnerabilities in Windows XP.

Now, contrast Microsoft's stance with organizations' obligations under PCI DSS requirement 6.2: "Ensure that all system components and software are protected from known vulnerabilities by installing applicable, vendor-supplied security patches. Install critical security patches within one month of release." As soon as the first new XP vulnerability is discovered after April 8, an organization will automatically be out of compliance with PCI DSS because it will likely be unable to ensure that its systems are protected against a potential exploit.

Originally released in August 2001, Windows XP is now over 12 years old. Come April, there will be no way to responsibly run Windows XP on a system that is connected to any kind of network. Also, the security measures introduced in Windows 7 and Windows 8, including upgraded versions of Address Space Layout Randomization and SmartScreen Filter, as well as the addition of Secure Boot, are too great to ignore. Simply put, it's time enterprises let go of XP.

This was last published in January 2014

Dig Deeper on PCI Data Security Standard

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If an enterprise decides to still use their SOME XP workstations in their environment but implements a lockdown/whitelisting/harderning tool, would they be still compliant to PCI since this might address the concern on vulnerability? Thanks
Hi Sinnedx, implementing "lockdown/whitelisting/hardening" should suffice in a sense but most importantly a Host Intrusion Prevention System (HIPS) solution should also be in place, especially for devices that are not fixed function devices.