xp retired, help :-(

recently bought a pc at our shop with windows xp pro.  was told xp pro was the most stable operating system.  now we find out it has been "retired" and our machine is no longer compliant to take credit card transactions.  our machine is behind a sonic wall but I guess that doesn't matter.  any creative solutions to stay compliant without a big cost?  thanks
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Blue Street TechConnect With a Mentor Last KnightsCommented:
@mlsbraves - You are incorrect. If a company is not storing credit card data their SAQ Form and compliance standards are dramatically reduced. A SAQ A, B and C are super easy to be compliant and tokenization (if a company is storing data) moves the liability from them to the tokenization processor - that is the point of tokenization (to remove the burden/liability).
Tokenization or not storing card data would defiantly increase their level but even a tier 4 is required to fill out a SAQ annually.
and have you reviewed a SAQ A, B or C form? I doubt you'd say that if you have. SAQ D is the only major standard and that only affects merchants who store CC data.

P.S. Let's refrain from hijacking the thread here. :)

Is the hardware suitable to run Windows 7 or 8? Purchase a retail copy of a modern operating system and install it.

If the computer is sufficiently old that it is unsuitable to run Windows 7 or Windows 8.... you shouldn't have bought it in the first place. Try to return it, or write it off and consider it a lesson learned.
Blue Street TechLast KnightsCommented:
Hi StewartGilligan,

XP is the most stable system, yes, pre-Windows 7, LOL.

If you have another computer that has Windows 7/8 Pro then you could run your credit cards through that by segmenting it from the rest of the computers in the network.

Do you store credit card data?

You can use a token service to avoid needing to be PCI compliant.

Let me know!
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Agree with Frosty555. If the computer hardware specs meet the minimal requirements of Windows 7 (You could technically use Vista but what a horrible OS) you can upgrade the OS. If not then your best bet will be to replace the computer. Anti-Virus or any other program will not protect XP from the security vulnerabilities in the future. An OS upgrade will be required to stay in PCI Compliance.
Do you store credit card data?

You can use a token service to avoid needing to be PCI compliant.

Even if the merchant doesn't store CC data they still are required to be PCI compliant since they are processing a card. Tokenization or not storing card data would defiantly increase their level but even a tier 4 is required to fill out a SAQ annually.
use the compatibility list to have an idea :  http://www.microsoft.com/en-us/windows/compatibility/CompatCenter/Home?Language=en-US

roughly, i would suggest a bare minimum of 2 Gb ram (better 4 GB), dual Core cpu
if only you need the OS + you application
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Also note that having an outdated OS does not mean you are out of compliance!
I deal with QSA's all year long, and while an updated/supported OS is a better choice, you do not fall out of compliance for simpply using an unsupported OS. Lot's of old OS's still pass PCI with the proper compensating controls and documentation.
Have a look at the previous question I answered about this:
Blue Street TechLast KnightsCommented:
Hi StewartGilligan,

Do you know what SAQ form you fall under, e.g. (A, B, C or D...)?

For example if 6.2 applies to you then you are correct and your PCI compliance would fail:

PCI non-compliant
If Windows XP is in your cardholder data environment (CDE), your business will fall out of compliance as of April 9, 2014, regardless of when your annual compliance validation is scheduled to take place.

PCI DSS Requirement 6.2 states:
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Source: www.pcisecuritystandards.org)
Rich RumbleConnect With a Mentor Security SamuraiCommented:
If you isolate the system with the proper controls, you can pass PCI, I have clients with NT4/Win2k and very old *nix machines, and the *nix machines (yes they have pii on them) can't even run AV software. The PCI standard is not as strict as it sounds, and this is one of the best reasons to have the compensating controls be part of that standard.
80% of the banking ATM's in the US still run XP, I bet you next year it won't be much less than that, and the year after that, you won't see XP going from banks/ATM's for another 4 years. They could do it in one-two years, but I bet they put controls in place that allow them to get away with it for longer.
many non-ms OSes are free... and much more stable than XP or seven

XP is probably currently still much more secure than any of it's MS successors

if you're concerned about $$, i hardly believe the guy who recently dared to sell a pc with XP won't do an upgrade if you complain
StewartGilliganAuthor Commented:
to answer diverseit, we are a small pub that accepts credit cards so im not sure if we are A,B,C,D.... :-(.  does anybody know?
not my field at all but most likely C (see the copy-paste below)


PCI DSS Self-Assessment Questionnaire Instructions
and Guidelines, v2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC

Selecting the SAQ and Attestation that Best Apply t
o Your Organization
According to payment brand rules, all merchants and
service providers are required to comply with the
PCI DSS in its entirety. There are five SAQ categor
ies, shown briefly in the table below and described
more detail in the following paragraphs. Use the ta
ble to gauge which SAQ applies to your organization
then review the detailed descriptions to ensure you
meet all the requirements for that SAQ.
Card-not-present (e-commerce or mail/telephone-orde
r) merchants, all cardholder data
functions outsourced.
This would never apply to face-to-face merchants.
Imprint-only merchants with no electronic cardholde
r data storage, or standalone, dial-
out terminal merchants with no electronic cardholde
r data storage
Merchants using only web-based virtual terminals, n
o electronic cardholder data
Merchants with payment application systems connecte
d to the Internet, no electronic
cardholder data storage
All other merchants not included in descriptions fo
r SAQ types A through C above, and
service providers
defined by a payment brand as eligible to complete
an SAQ.

the SAQ question list is on page 9 of the pdf, and there is a "Guidance for Non-Applicability of Certain, Specific
Requirements " section down the end that lists requirements that do NOT apply to C and D cases

hope that helps
StewartGilliganAuthor Commented:
great info.  thanks all :-)
Blue Street TechLast KnightsCommented:
Thanks for the points. ...Glad I could help!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.