Solved

pci compliance

Posted on 2014-02-13
4
460 Views
Last Modified: 2014-02-17
I have a business that accepts credits cards.  currently I run windows xp behind a sonicwall firewall on 20 pc's in 10 different sites.  when Microsoft ends support for this operating system will I not be in compliance with pci standards?  if so, what is the most cost effective way to stay compliant?  thank you
0
Comment
Question by:StewartGilligan
4 Comments
 
LVL 13

Expert Comment

by:Abhilash
ID: 39855973
AFAIK yes you will not be. If your environment is audited and its found that you run a system that's not supported anymore, you might not be compliant anymore.
I would suggest you to think of migrating to a later version of windows.
0
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 200 total points
ID: 39856808
Hi StewartGilligan,

It may depend on your classification Type A, B, C-D. But irrespectively, I would think it would be yes you will not be compliant because XP will be a haven to hackers and malware to reside once support is over but I'm not certain. Microsoft will not longer supply critical security patches and bug fixes so that leaves exploits wide open. To stay compliant you should A) upgrade to Windows 7 or 8, or B) you a third-party to house your credit card data. In the later they would assume all the risk and use tokens to process a transaction to keep you from needing compliance at all.

Let me know if you have any other questions!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 39858835
Technically no, there is no violation of PCI for using out of date OS's. I've been in many organizations that to this day use NT4/win2k or very old Unix/Linux because they have some legacy thing they "can't" live without. PCI is all about compensating controls and security measures or techniques. It is not about running this OS or that one. There are some best practices like staying up to date with patches, and in this case there will be no more patches after a certain point, so technically you will be up to date on them.
Others see it as black and white: http://www.vendorsafe.com/blog/2013/09/can-your-point-of-sale-be-compliant-after-the-end-of-microsoft-xp/
But PCI isn't like that, I've been through two dozen audits, and it depends on how your data is stored. If your using XP in your network, no problem as long as you have compensating controls that limit those machines from accessing PCI data. If you use XP to store you PCI data, then there is no compensating control for that, that will never pass a QSA's sniff test.
Again I've been on networks that use a lot of outdated hardware and software, you can make a case (well document it) and see what the QSA says. Read that article fully and you can see that PCI themselves say it's not "necessarily out of compliance". Even so, being out of compliance is not uncommon, and until there is a breach, nothing happens to you. It's the biggest flaw in the process, there is no penalty for being non-complainant until someone starts to sue.
-rich
0
 

Author Closing Comment

by:StewartGilligan
ID: 39859969
thank you
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now