Solved

pci compliance

Posted on 2014-02-13
4
470 Views
Last Modified: 2014-02-17
I have a business that accepts credits cards.  currently I run windows xp behind a sonicwall firewall on 20 pc's in 10 different sites.  when Microsoft ends support for this operating system will I not be in compliance with pci standards?  if so, what is the most cost effective way to stay compliant?  thank you
0
Comment
Question by:StewartGilligan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 13

Expert Comment

by:Abhilash
ID: 39855973
AFAIK yes you will not be. If your environment is audited and its found that you run a system that's not supported anymore, you might not be compliant anymore.
I would suggest you to think of migrating to a later version of windows.
0
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 200 total points
ID: 39856808
Hi StewartGilligan,

It may depend on your classification Type A, B, C-D. But irrespectively, I would think it would be yes you will not be compliant because XP will be a haven to hackers and malware to reside once support is over but I'm not certain. Microsoft will not longer supply critical security patches and bug fixes so that leaves exploits wide open. To stay compliant you should A) upgrade to Windows 7 or 8, or B) you a third-party to house your credit card data. In the later they would assume all the risk and use tokens to process a transaction to keep you from needing compliance at all.

Let me know if you have any other questions!
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 39858835
Technically no, there is no violation of PCI for using out of date OS's. I've been in many organizations that to this day use NT4/win2k or very old Unix/Linux because they have some legacy thing they "can't" live without. PCI is all about compensating controls and security measures or techniques. It is not about running this OS or that one. There are some best practices like staying up to date with patches, and in this case there will be no more patches after a certain point, so technically you will be up to date on them.
Others see it as black and white: http://www.vendorsafe.com/blog/2013/09/can-your-point-of-sale-be-compliant-after-the-end-of-microsoft-xp/
But PCI isn't like that, I've been through two dozen audits, and it depends on how your data is stored. If your using XP in your network, no problem as long as you have compensating controls that limit those machines from accessing PCI data. If you use XP to store you PCI data, then there is no compensating control for that, that will never pass a QSA's sniff test.
Again I've been on networks that use a lot of outdated hardware and software, you can make a case (well document it) and see what the QSA says. Read that article fully and you can see that PCI themselves say it's not "necessarily out of compliance". Even so, being out of compliance is not uncommon, and until there is a breach, nothing happens to you. It's the biggest flaw in the process, there is no penalty for being non-complainant until someone starts to sue.
-rich
0
 

Author Closing Comment

by:StewartGilligan
ID: 39859969
thank you
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question