Microsoft is ending support for Windows XP on April 8, 2014. After that date, Microsoft will not issue any security updates or provide technical support for the operating system. How does this affect your compliance?
The PCI Security Standards Council recently published “Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?”
“PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.“
The article goes on to say that you might be able to implement “compensating controls” to address risks posed by using unsupported operating systems.
Below are a some compensating controls you might be able to implement to stay compliant:
However, if an unsupported operating system is Internet-facing it will be detected and reported as an automatic failure by an ASV scan.
Remember that compensating controls should only be considered a temporary solution until you can upgrade to a supported operating system. It is recommended that if you need assistance with compensating controls to protect your Windows XP systems you should contact a Qualified Security Assessor.
AccelOps can help your organization monitor traffic, network and system logs, applications and access to your PCI systems to help your organization transition to updated compliant operating systems.
Contact us for to talk about your PCI compliance or a get an AccelOps demo.