As of April 8th Microsoft will cease its ongoing support for Windows XP, resulting in systems using the operating system to possibly not be PCI compliant.
Windows XP was introduced to the public in 2001, and is to this day the preferred OS for quite a few PC users. XP however has become a target for hackers and data attacks given its outdated kernel that can be traced back to early versions of Windows NT. Microsoft until now has been consistently updating the operating system mainly on its security attributes since its launch 13 years ago. So how is Microsoft ending support for XP going to affect merchants?
According to PCI DSS requirement 6.2 “system components within the cardholder data environment (CDE) must be protected from known vulnerabilities by having the latest vendor-supplied security patches installed.”
The PCI Security Standards Council (SSC) released an Infographic recently highlighting the increasing security risk an unsupported version of Windows XP can impose:
ACY Securities Supports ASIC’s Product Intervention OrderGo to article >>
Whether or not a CDE computing device running XP will cause a firm to lose ant PCI certification is unclear. Spokespeople for the PCI SSC refer to the matter as a “tough spot” and no yes or no answer can be provided.
“Whether a company running XP is going to remain compliant with PCI DSS or not is a call, like all compliance-related ones, that is going to be made by an organization’s QSA [Qualified Security Assessor] during the assessment process. The council’s aim is to raise awareness of the upcoming changes with Microsoft XP and to get people to start this conversation with their assessors and acquiring banks now if they haven’t already done so,” said Ella Nevill, a vice president with the PCI SSC.
Microsoft themselves have been trying to push a move over to more relevant operating systems like Windows 7 and Windows 8 over the last few years. The main reasons for switching to the new operating system according to Microsoft are mainly security related.