?
Solved

pci compliance

Posted on 2014-02-13
4
Medium Priority
?
485 Views
Last Modified: 2014-02-17
I have a business that accepts credits cards.  currently I run windows xp behind a sonicwall firewall on 20 pc's in 10 different sites.  when Microsoft ends support for this operating system will I not be in compliance with pci standards?  if so, what is the most cost effective way to stay compliant?  thank you
0
Comment
Question by:StewartGilligan
4 Comments
 
LVL 13

Expert Comment

by:Abhilash
ID: 39855973
AFAIK yes you will not be. If your environment is audited and its found that you run a system that's not supported anymore, you might not be compliant anymore.
I would suggest you to think of migrating to a later version of windows.
0
 
LVL 27

Assisted Solution

by:Blue Street Tech
Blue Street Tech earned 800 total points
ID: 39856808
Hi StewartGilligan,

It may depend on your classification Type A, B, C-D. But irrespectively, I would think it would be yes you will not be compliant because XP will be a haven to hackers and malware to reside once support is over but I'm not certain. Microsoft will not longer supply critical security patches and bug fixes so that leaves exploits wide open. To stay compliant you should A) upgrade to Windows 7 or 8, or B) you a third-party to house your credit card data. In the later they would assume all the risk and use tokens to process a transaction to keep you from needing compliance at all.

Let me know if you have any other questions!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1200 total points
ID: 39858835
Technically no, there is no violation of PCI for using out of date OS's. I've been in many organizations that to this day use NT4/win2k or very old Unix/Linux because they have some legacy thing they "can't" live without. PCI is all about compensating controls and security measures or techniques. It is not about running this OS or that one. There are some best practices like staying up to date with patches, and in this case there will be no more patches after a certain point, so technically you will be up to date on them.
Others see it as black and white: http://www.vendorsafe.com/blog/2013/09/can-your-point-of-sale-be-compliant-after-the-end-of-microsoft-xp/
But PCI isn't like that, I've been through two dozen audits, and it depends on how your data is stored. If your using XP in your network, no problem as long as you have compensating controls that limit those machines from accessing PCI data. If you use XP to store you PCI data, then there is no compensating control for that, that will never pass a QSA's sniff test.
Again I've been on networks that use a lot of outdated hardware and software, you can make a case (well document it) and see what the QSA says. Read that article fully and you can see that PCI themselves say it's not "necessarily out of compliance". Even so, being out of compliance is not uncommon, and until there is a breach, nothing happens to you. It's the biggest flaw in the process, there is no penalty for being non-complainant until someone starts to sue.
-rich
0
 

Author Closing Comment

by:StewartGilligan
ID: 39859969
thank you
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question