Solved

pci compliance

Posted on 2014-02-13
4
457 Views
Last Modified: 2014-02-17
I have a business that accepts credits cards.  currently I run windows xp behind a sonicwall firewall on 20 pc's in 10 different sites.  when Microsoft ends support for this operating system will I not be in compliance with pci standards?  if so, what is the most cost effective way to stay compliant?  thank you
0
Comment
Question by:StewartGilligan
4 Comments
 
LVL 13

Expert Comment

by:Abhilash
Comment Utility
AFAIK yes you will not be. If your environment is audited and its found that you run a system that's not supported anymore, you might not be compliant anymore.
I would suggest you to think of migrating to a later version of windows.
0
 
LVL 24

Assisted Solution

by:diverseit
diverseit earned 200 total points
Comment Utility
Hi StewartGilligan,

It may depend on your classification Type A, B, C-D. But irrespectively, I would think it would be yes you will not be compliant because XP will be a haven to hackers and malware to reside once support is over but I'm not certain. Microsoft will not longer supply critical security patches and bug fixes so that leaves exploits wide open. To stay compliant you should A) upgrade to Windows 7 or 8, or B) you a third-party to house your credit card data. In the later they would assume all the risk and use tokens to process a transaction to keep you from needing compliance at all.

Let me know if you have any other questions!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
Comment Utility
Technically no, there is no violation of PCI for using out of date OS's. I've been in many organizations that to this day use NT4/win2k or very old Unix/Linux because they have some legacy thing they "can't" live without. PCI is all about compensating controls and security measures or techniques. It is not about running this OS or that one. There are some best practices like staying up to date with patches, and in this case there will be no more patches after a certain point, so technically you will be up to date on them.
Others see it as black and white: http://www.vendorsafe.com/blog/2013/09/can-your-point-of-sale-be-compliant-after-the-end-of-microsoft-xp/
But PCI isn't like that, I've been through two dozen audits, and it depends on how your data is stored. If your using XP in your network, no problem as long as you have compensating controls that limit those machines from accessing PCI data. If you use XP to store you PCI data, then there is no compensating control for that, that will never pass a QSA's sniff test.
Again I've been on networks that use a lot of outdated hardware and software, you can make a case (well document it) and see what the QSA says. Read that article fully and you can see that PCI themselves say it's not "necessarily out of compliance". Even so, being out of compliance is not uncommon, and until there is a breach, nothing happens to you. It's the biggest flaw in the process, there is no penalty for being non-complainant until someone starts to sue.
-rich
0
 

Author Closing Comment

by:StewartGilligan
Comment Utility
thank you
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now