30 Days of Compliance Q&As #20: Am I Still PCI Compliant After Windows XP Support Ends?

Microsoft is ending support for Windows XP on April 8, 2014. After that date, Microsoft will not issue any security updates or provide technical support for the operating system. How does this affect your compliance?

The PCI Security Standards Council recently published “Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?

“PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.“

The article goes on to say that you might be able to implement “compensating controls” to address risks posed by using unsupported operating systems.

Below are a some compensating controls you might be able to implement to stay compliant: 

  1. Regularly test your Windows XP systems against the latest vulnerability exploits.
  2. Make sure Anti-Virus software is installed and kept up to date with the latest signatures.
  3. Firewall off the Windows XP systems from the rest of the network.
  4. Monitor all traffic coming and going from the Windows XP systems using IPS software or devices.
  5. Actively monitor the system and network logs to all of your Windows XP systems.
  6. Properly configuring applications and whitelisting apps that are necessary for your Windows XP systems to run.

However, if an unsupported operating system is Internet-facing it will be detected and reported as an automatic failure by an ASV scan.

Remember that compensating controls should only be considered a temporary solution until you can upgrade to a supported operating system. It is recommended that if you need assistance with compensating controls to protect your Windows XP systems you should contact a Qualified Security Assessor.

AccelOps can help your organization monitor traffic, network and system logs, applications and access to your PCI systems to help your organization transition to updated compliant operating systems.

Contact us for to talk about your PCI compliance or a get an AccelOps demo.

Authors


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone


Marta Stone

Try AccelOps FREE for 30 Days

 

Get a Live Product Demo

 

Tags

cloud
security
big data
RSA
analytics
compliance
Q&A
PCI DSS
HIPAA
Sarbanes Oxley (SOX)
Target breach

About Accelops

AccelOps provides the leading IT operations analytics platform for the modern data center. The virtual appliance software monitors security, performance and compliance in cloud and virtualized infrastructures – all from a single screen.

 

AccelOps automatically discovers, analyzes and automates IT issues in machine and big data across organizations’ data centers and cloud resources, spanning servers, storage, networks, security, applications and users. AccelOps’ patented analytics engine with cross-correlation and statistical anomaly detection sends real-time alerts when deviations occur that indicate a security or performance-impacting event.

 

The AccelOps platform scales seamlessly and provides unmatched delivery of proactive security and operational intelligence, allowing organizations to be more responsive and competitive as they expand their IT capabilities. 

Keep Social