Solved

xp retired, help :-(

Posted on 2014-04-08
14
282 Views
Last Modified: 2014-04-15
recently bought a pc at our shop with windows xp pro.  was told xp pro was the most stable operating system.  now we find out it has been "retired" and our machine is no longer compliant to take credit card transactions.  our machine is behind a sonic wall but I guess that doesn't matter.  any creative solutions to stay compliant without a big cost?  thanks
0
Comment
Question by:StewartGilligan
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 31

Expert Comment

by:Frosty555
Comment Utility
Is the hardware suitable to run Windows 7 or 8? Purchase a retail copy of a modern operating system and install it.

If the computer is sufficiently old that it is unsuitable to run Windows 7 or Windows 8.... you shouldn't have bought it in the first place. Try to return it, or write it off and consider it a lesson learned.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Hi StewartGilligan,

XP is the most stable system, yes, pre-Windows 7, LOL.

If you have another computer that has Windows 7/8 Pro then you could run your credit cards through that by segmenting it from the rest of the computers in the network.

Do you store credit card data?

You can use a token service to avoid needing to be PCI compliant.

Let me know!
0
 
LVL 3

Expert Comment

by:mlsbraves
Comment Utility
Agree with Frosty555. If the computer hardware specs meet the minimal requirements of Windows 7 (You could technically use Vista but what a horrible OS) you can upgrade the OS. If not then your best bet will be to replace the computer. Anti-Virus or any other program will not protect XP from the security vulnerabilities in the future. An OS upgrade will be required to stay in PCI Compliance.
0
 
LVL 3

Expert Comment

by:mlsbraves
Comment Utility
Do you store credit card data?

You can use a token service to avoid needing to be PCI compliant.

Even if the merchant doesn't store CC data they still are required to be PCI compliant since they are processing a card. Tokenization or not storing card data would defiantly increase their level but even a tier 4 is required to fill out a SAQ annually.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
use the compatibility list to have an idea :  http://www.microsoft.com/en-us/windows/compatibility/CompatCenter/Home?Language=en-US

roughly, i would suggest a bare minimum of 2 Gb ram (better 4 GB), dual Core cpu
if only you need the OS + you application
0
 
LVL 24

Accepted Solution

by:
diverseit earned 167 total points
Comment Utility
@mlsbraves - You are incorrect. If a company is not storing credit card data their SAQ Form and compliance standards are dramatically reduced. A SAQ A, B and C are super easy to be compliant and tokenization (if a company is storing data) moves the liability from them to the tokenization processor - that is the point of tokenization (to remove the burden/liability).
Tokenization or not storing card data would defiantly increase their level but even a tier 4 is required to fill out a SAQ annually.
and have you reviewed a SAQ A, B or C form? I doubt you'd say that if you have. SAQ D is the only major standard and that only affects merchants who store CC data.

P.S. Let's refrain from hijacking the thread here. :)

Cheers!
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 333 total points
Comment Utility
Also note that having an outdated OS does not mean you are out of compliance!
I deal with QSA's all year long, and while an updated/supported OS is a better choice, you do not fall out of compliance for simpply using an unsupported OS. Lot's of old OS's still pass PCI with the proper compensating controls and documentation.
Have a look at the previous question I answered about this:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_28363923.html#a39858835
-rich
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Hi StewartGilligan,

Do you know what SAQ form you fall under, e.g. (A, B, C or D...)?

For example if 6.2 applies to you then you are correct and your PCI compliance would fail:

PCI non-compliant
If Windows XP is in your cardholder data environment (CDE), your business will fall out of compliance as of April 9, 2014, regardless of when your annual compliance validation is scheduled to take place.

PCI DSS Requirement 6.2 states:
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Source: www.pcisecuritystandards.org)
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 333 total points
Comment Utility
If you isolate the system with the proper controls, you can pass PCI, I have clients with NT4/Win2k and very old *nix machines, and the *nix machines (yes they have pii on them) can't even run AV software. The PCI standard is not as strict as it sounds, and this is one of the best reasons to have the compensating controls be part of that standard.
80% of the banking ATM's in the US still run XP, I bet you next year it won't be much less than that, and the year after that, you won't see XP going from banks/ATM's for another 4 years. They could do it in one-two years, but I bet they put controls in place that allow them to get away with it for longer.
-rich
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
many non-ms OSes are free... and much more stable than XP or seven

XP is probably currently still much more secure than any of it's MS successors

if you're concerned about $$, i hardly believe the guy who recently dared to sell a pc with XP won't do an upgrade if you complain
0
 

Author Comment

by:StewartGilligan
Comment Utility
to answer diverseit, we are a small pub that accepts credit cards so im not sure if we are A,B,C,D.... :-(.  does anybody know?
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
not my field at all but most likely C (see the copy-paste below)

https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf

PCI DSS Self-Assessment Questionnaire Instructions
and Guidelines, v2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC
Page
12

Selecting the SAQ and Attestation that Best Apply t
o Your Organization
According to payment brand rules, all merchants and
service providers are required to comply with the
PCI DSS in its entirety. There are five SAQ categor
ies, shown briefly in the table below and described
in
more detail in the following paragraphs. Use the ta
ble to gauge which SAQ applies to your organization
,
then review the detailed descriptions to ensure you
meet all the requirements for that SAQ.
SAQ
Description
A
Card-not-present (e-commerce or mail/telephone-orde
r) merchants, all cardholder data
functions outsourced.
This would never apply to face-to-face merchants.
B
Imprint-only merchants with no electronic cardholde
r data storage, or standalone, dial-
out terminal merchants with no electronic cardholde
r data storage
C-VT
Merchants using only web-based virtual terminals, n
o electronic cardholder data
storage
C
Merchants with payment application systems connecte
d to the Internet, no electronic
cardholder data storage
D
All other merchants not included in descriptions fo
r SAQ types A through C above, and
all
service providers
defined by a payment brand as eligible to complete
an SAQ.

the SAQ question list is on page 9 of the pdf, and there is a "Guidance for Non-Applicability of Certain, Specific
Requirements " section down the end that lists requirements that do NOT apply to C and D cases

hope that helps
0
 

Author Closing Comment

by:StewartGilligan
Comment Utility
great info.  thanks all :-)
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Thanks for the points. ...Glad I could help!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now