pci compliance

I have a business that accepts credits cards.  currently I run windows xp behind a sonicwall firewall on 20 pc's in 10 different sites.  when Microsoft ends support for this operating system will I not be in compliance with pci standards?  if so, what is the most cost effective way to stay compliant?  thank you
StewartGilliganAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Technically no, there is no violation of PCI for using out of date OS's. I've been in many organizations that to this day use NT4/win2k or very old Unix/Linux because they have some legacy thing they "can't" live without. PCI is all about compensating controls and security measures or techniques. It is not about running this OS or that one. There are some best practices like staying up to date with patches, and in this case there will be no more patches after a certain point, so technically you will be up to date on them.
Others see it as black and white: http://www.vendorsafe.com/blog/2013/09/can-your-point-of-sale-be-compliant-after-the-end-of-microsoft-xp/
But PCI isn't like that, I've been through two dozen audits, and it depends on how your data is stored. If your using XP in your network, no problem as long as you have compensating controls that limit those machines from accessing PCI data. If you use XP to store you PCI data, then there is no compensating control for that, that will never pass a QSA's sniff test.
Again I've been on networks that use a lot of outdated hardware and software, you can make a case (well document it) and see what the QSA says. Read that article fully and you can see that PCI themselves say it's not "necessarily out of compliance". Even so, being out of compliance is not uncommon, and until there is a breach, nothing happens to you. It's the biggest flaw in the process, there is no penalty for being non-complainant until someone starts to sue.
-rich
0
 
AbhilashBloggerCommented:
AFAIK yes you will not be. If your environment is audited and its found that you run a system that's not supported anymore, you might not be compliant anymore.
I would suggest you to think of migrating to a later version of windows.
0
 
Blue Street TechConnect With a Mentor Last KnightCommented:
Hi StewartGilligan,

It may depend on your classification Type A, B, C-D. But irrespectively, I would think it would be yes you will not be compliant because XP will be a haven to hackers and malware to reside once support is over but I'm not certain. Microsoft will not longer supply critical security patches and bug fixes so that leaves exploits wide open. To stay compliant you should A) upgrade to Windows 7 or 8, or B) you a third-party to house your credit card data. In the later they would assume all the risk and use tokens to process a transaction to keep you from needing compliance at all.

Let me know if you have any other questions!
0
 
StewartGilliganAuthor Commented:
thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.