Solved

xp retired, help :-(

Posted on 2014-04-08
14
290 Views
Last Modified: 2014-04-15
recently bought a pc at our shop with windows xp pro.  was told xp pro was the most stable operating system.  now we find out it has been "retired" and our machine is no longer compliant to take credit card transactions.  our machine is behind a sonic wall but I guess that doesn't matter.  any creative solutions to stay compliant without a big cost?  thanks
0
Comment
Question by:StewartGilligan
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 31

Expert Comment

by:Frosty555
ID: 39987930
Is the hardware suitable to run Windows 7 or 8? Purchase a retail copy of a modern operating system and install it.

If the computer is sufficiently old that it is unsuitable to run Windows 7 or Windows 8.... you shouldn't have bought it in the first place. Try to return it, or write it off and consider it a lesson learned.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39988032
Hi StewartGilligan,

XP is the most stable system, yes, pre-Windows 7, LOL.

If you have another computer that has Windows 7/8 Pro then you could run your credit cards through that by segmenting it from the rest of the computers in the network.

Do you store credit card data?

You can use a token service to avoid needing to be PCI compliant.

Let me know!
0
 
LVL 3

Expert Comment

by:mlsbraves
ID: 39988038
Agree with Frosty555. If the computer hardware specs meet the minimal requirements of Windows 7 (You could technically use Vista but what a horrible OS) you can upgrade the OS. If not then your best bet will be to replace the computer. Anti-Virus or any other program will not protect XP from the security vulnerabilities in the future. An OS upgrade will be required to stay in PCI Compliance.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 3

Expert Comment

by:mlsbraves
ID: 39988050
Do you store credit card data?

You can use a token service to avoid needing to be PCI compliant.

Even if the merchant doesn't store CC data they still are required to be PCI compliant since they are processing a card. Tokenization or not storing card data would defiantly increase their level but even a tier 4 is required to fill out a SAQ annually.
0
 
LVL 92

Expert Comment

by:nobus
ID: 39988060
use the compatibility list to have an idea :  http://www.microsoft.com/en-us/windows/compatibility/CompatCenter/Home?Language=en-US

roughly, i would suggest a bare minimum of 2 Gb ram (better 4 GB), dual Core cpu
if only you need the OS + you application
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 167 total points
ID: 39988120
@mlsbraves - You are incorrect. If a company is not storing credit card data their SAQ Form and compliance standards are dramatically reduced. A SAQ A, B and C are super easy to be compliant and tokenization (if a company is storing data) moves the liability from them to the tokenization processor - that is the point of tokenization (to remove the burden/liability).
Tokenization or not storing card data would defiantly increase their level but even a tier 4 is required to fill out a SAQ annually.
and have you reviewed a SAQ A, B or C form? I doubt you'd say that if you have. SAQ D is the only major standard and that only affects merchants who store CC data.

P.S. Let's refrain from hijacking the thread here. :)

Cheers!
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 333 total points
ID: 39988457
Also note that having an outdated OS does not mean you are out of compliance!
I deal with QSA's all year long, and while an updated/supported OS is a better choice, you do not fall out of compliance for simpply using an unsupported OS. Lot's of old OS's still pass PCI with the proper compensating controls and documentation.
Have a look at the previous question I answered about this:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_28363923.html#a39858835
-rich
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39989301
Hi StewartGilligan,

Do you know what SAQ form you fall under, e.g. (A, B, C or D...)?

For example if 6.2 applies to you then you are correct and your PCI compliance would fail:

PCI non-compliant
If Windows XP is in your cardholder data environment (CDE), your business will fall out of compliance as of April 9, 2014, regardless of when your annual compliance validation is scheduled to take place.

PCI DSS Requirement 6.2 states:
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Source: www.pcisecuritystandards.org)
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 333 total points
ID: 39989344
If you isolate the system with the proper controls, you can pass PCI, I have clients with NT4/Win2k and very old *nix machines, and the *nix machines (yes they have pii on them) can't even run AV software. The PCI standard is not as strict as it sounds, and this is one of the best reasons to have the compensating controls be part of that standard.
80% of the banking ATM's in the US still run XP, I bet you next year it won't be much less than that, and the year after that, you won't see XP going from banks/ATM's for another 4 years. They could do it in one-two years, but I bet they put controls in place that allow them to get away with it for longer.
-rich
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39991215
many non-ms OSes are free... and much more stable than XP or seven

XP is probably currently still much more secure than any of it's MS successors

if you're concerned about $$, i hardly believe the guy who recently dared to sell a pc with XP won't do an upgrade if you complain
0
 

Author Comment

by:StewartGilligan
ID: 39994051
to answer diverseit, we are a small pub that accepts credit cards so im not sure if we are A,B,C,D.... :-(.  does anybody know?
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39995751
not my field at all but most likely C (see the copy-paste below)

https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_guide_v2.0.pdf

PCI DSS Self-Assessment Questionnaire Instructions
and Guidelines, v2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC
Page
12

Selecting the SAQ and Attestation that Best Apply t
o Your Organization
According to payment brand rules, all merchants and
service providers are required to comply with the
PCI DSS in its entirety. There are five SAQ categor
ies, shown briefly in the table below and described
in
more detail in the following paragraphs. Use the ta
ble to gauge which SAQ applies to your organization
,
then review the detailed descriptions to ensure you
meet all the requirements for that SAQ.
SAQ
Description
A
Card-not-present (e-commerce or mail/telephone-orde
r) merchants, all cardholder data
functions outsourced.
This would never apply to face-to-face merchants.
B
Imprint-only merchants with no electronic cardholde
r data storage, or standalone, dial-
out terminal merchants with no electronic cardholde
r data storage
C-VT
Merchants using only web-based virtual terminals, n
o electronic cardholder data
storage
C
Merchants with payment application systems connecte
d to the Internet, no electronic
cardholder data storage
D
All other merchants not included in descriptions fo
r SAQ types A through C above, and
all
service providers
defined by a payment brand as eligible to complete
an SAQ.

the SAQ question list is on page 9 of the pdf, and there is a "Guidance for Non-Applicability of Certain, Specific
Requirements " section down the end that lists requirements that do NOT apply to C and D cases

hope that helps
0
 

Author Closing Comment

by:StewartGilligan
ID: 40000766
great info.  thanks all :-)
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 40001746
Thanks for the points. ...Glad I could help!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA - configure backup L2L tunnels on backup Internet link 3 47
Expanding Subnet Mask 20 111
ASA Tunnel 18 34
Sonicwall SHA issue 4 30
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question