January 8, 2014
Windows XP Sunset Event Could Affect Your PCI Compliance
On April 8, 2014, Microsoft’s extended support for Windows XP will cease. Merchants running this operating system should start preparing now to upgrade to a supported operating system. But of course, in standard Shift4 style, we’re here to explain why and how these changes affect you so you can keep your business compliant and safe.
Why is this important?
Requirement 6.2 of the PCI Data Security Standard (PCI DSS) tells us to “ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.”
The PCI Security Standards Council’s position on this subject is that if a vendor no longer supports a system component by issuing security patches, merchants running that component in their card data environment cannot check “In Place” on their next Self-Assessment Questionnaire. In case you weren’t aware, in order to be PCI DSS compliant, all in-scope requirements must be checked “In Place.”
If you are running an unsupported operating system, and it is accessible from the Internet, you will receive an automatic PCI failure on the next authorized scanning vendor (ASV) vulnerability scan and will immediately be deemed non-compliant with the PCI DSS. The ASVs are required to automatically fail a scan upon detecting an unsupported operating system.
What if my unsupported operating system does not process, store, or transmit cardholder data?
If the system resides in the card data environment and is not properly segmented from systems that process, store, or transmit card data, then it is in scope for PCI DSS requirement 6.2 (network segmentation is covered on page 11 of the PCI DSS manual).
What Should I do?
If you will be affected by this Microsoft sunset event you should immediately consult with your merchant services provider (MSP) or merchant bank and your ISA or QSA so they are aware and can provide guidance. If you already have a plan to upgrade, then congrats – you’re ahead of the game.
If you don’t have a plan or a budget allocation to upgrade to a supported operating system, you have one other possible option – use Compensating Controls (see PCI DSS Appendices B & C). This is not recommended, and should be discussed with your MSP/merchant bank and your ISA or QSA to determine your next steps.
As always, we’re here to help. Please contact Shift4 Support at 702.597.2480 (option 2) for more information on how to keep your card data environment PCI complaint through the upcoming changes.