No Windows XP Support, No PCI Compliance?

March 19, 2014 • Published Categories Industry TopicsTags

Over the past few weeks, ControlScan has heard from several hundred small merchants who are currently running Windows XP in their IT environment. Their feedback was in response to a ControlScan survey gauging their awareness and expectations surrounding Microsoft’s sunsetting of the operating system. While 92% of the merchants we heard from are aware of XP’s end of life, less than half of them (43%) are concerned with the security implications.

Microsoft’s end to its support of Windows XP will cause serious security issues for merchants (and others) who continue to utilize it beyond the April 8, 2014 end-of-life date. In this post, I’ll explain exactly what XP’s end of life means for your organization’s security and compliance, and what you can do about it.

Not sure where XP resides in your environment? Click here for a simple, no-cost solution.

An untrusted state
If your organization is running Windows XP after April 8—even if you have antivirus programs and firewalls in place—your security posture will be significantly reduced.

Here is commentary from a director at Microsoft:

The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a “zero day” vulnerability forever. (Source: Microsoft Security Blog)

He goes on to say:

Some…are quick to point out that there are security mitigations built into Windows XP that can make it harder for such exploits to be successful. There is also anti-virus software that can help block attacks and clean up infections if they occur. The challenge here is that you’ll never know, with any confidence, if the trusted computing base of the system can actually be trusted because attackers will be armed with public knowledge of zero day exploits in Windows XP that could enable them to compromise the system and possibly run the code of their choice. Furthermore, can the system’s APIs that anti-virus software uses be trusted under these circumstances?

Windows operating systems are already prone to infection, even with the most recent updates and anti-virus software. The inability to continue to patch an operating system leaves that operating system in an untrusted state.

PCI non-compliant
If Windows XP is in your cardholder data environment (CDE), your business will fall out of compliance as of April 9, 2014, regardless of when your annual compliance validation is scheduled to take place.

PCI DSS Requirement 6.2 states:

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. (Source: www.pcisecuritystandards.org)

Should your organization experience a breach, you will be deemed “non-compliant,” even if you were previously validated compliant. But even prior to that, you will not be able to effectively pass an ASV network scan, because they are required to automatically fail unsupported operating systems.

Ultimately, vendor-supported operating systems and devices are a crucial part of any environment that aims to maintain a high level of security and compliance. The bad guys won’t stop writing malicious code or looking for flaws, so when a vendor stops fixing those flaws within a given operating system, such as XP, any instance of that system within an environment immediately introduces risk.

Step 1: Identify XP in your environment

Only 16% of the respondents to our XP survey are confident their organization does not have the Windows XP operating system running in its IT environment. Many organizations host all or a portion of their IT environment off-site, further complicating discovery/awareness of XP.

Organizations can use vulnerability scanning and asset management solutions to help identify all instances of XP within their environment. A manual inventory effort may also be necessary fully confirm that all instances of XP are discovered and addressed.

Step 2: Make a game plan for the coming months
While the ideal plan is to upgrade all XP machines to a modern operating system by the April 8 deadline, some organizations simply can’t allocate the necessary financial or human resources. It is extremely important that those organizations have a game plan, however.

An effective, low-cost “stop gap” option for the small business is to enlist the services of a Managed Security Service Provider (MSSP). MSSPs specialize in delivering the technical expertise and security know-how required to secure your business and meet PCI compliance requirements. They will partner with you to ensure your firewall settings and system configurations are secure and your system is monitored 24/7/365 for any suspicious activity. Note that what I’ve just described, however, is only a stop gap; you must have an action plan to remove Windows XP from your network as soon as is possible for your business.

Again, even with heightened controls within an environment, the presence of XP will introduce potential risk that is very difficult to mitigate. A strong firewall rule set and 24/7 monitoring are great controls to have in conjunction with a supported/patched operating system and are not replacement controls for the existence of unsupported operating systems.

Get started today
If your business is running Windows XP, your likelihood of suffering a data breach in the coming months is high. ControlScan’s research shows that the number of small-merchant breach events are increasing, and the Ponemon Institute reported in 2013 that small and midsize businesses who fall victim to viruses, worms, malware and botnets “experience a higher proportion of cybercrime costs” than their big-business counterparts.

Now is the time to assess your IT environment and plan accordingly. For more information and advice on mitigating the risk associated with Windows XP, please contact ControlScan at 1-800-825-3301, x 2. We’re happy to help.

Leave a Comment