Microsoft recently announced that it is ending support for the Windows Server 2003 operating system on July 14, 2015. Windows Server 2003 is heavily relied upon in e-commerce. Therefore, if your business conducts e-commerce (i.e., has a website with a shopping cart), then it’s possible you’re using the Windows Server 2003 operating system.
Why you should upgrade by July 14
Just like its sun setting of Windows XP last year, Microsoft will no longer issue software or security updates to Windows Server 2003 after July 14 of this year. Consequently, malicious attacks on businesses utilizing the operating system after that date will increase exponentially, as cybercriminals turn their attention to finding holes in its security armor. Hackers will also keep an eye on newly-identified Windows vulnerabilities, understanding that Microsoft will not be patching them for Windows 2003.
Vendor-supported operating systems and devices are a crucial part of any environment that aims to maintain a high level of security and compliance. The bad guys won’t stop writing malicious code or looking for flaws, so when a vendor stops fixing those flaws within a given operating system, any instance of that system within an environment immediately introduces risk.
Consequently, if a Windows Server 2003 machine is part of your cardholder data environment (CDE), your business will fall out of compliance with the PCI DSS as of July 15, 2015 unless it has implemented some significant compensating controls. Those compensating controls would revolve around keeping up with patching by manually reviewing patches and manually applying them, restricting logical and physical access to the servers, and very carefully logging and correlating and reviewing log files. Basically, you would need to go way above and beyond to cover for the use of 2003.
PCI DSS Requirement 6.2 states:
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Source: www.pcisecuritystandards.org)
Note that the acceptance of any compensating controls is at the discretion of the card brands and banks and may only be accepted under certain circumstances.
What you should do now
The good news is that Microsoft has created a special website, including tools and educational resources, to help your business smoothly migrate from Windows Server 2003. Access the Microsoft Windows Server 2003 Migration Website by clicking here.
Subscribe to this blog for additional tips and webinar announcements.