It should be *painfully* obvious to anybody that in a few short weeks [or maybe now, depending on how you interpret it] any merchant using Windows XP systems or devices inside the cardholder data environment (CDE) will NOT be PCI DSS compliant – unless they use stringent compensating controls.
Now, do I wish there was a nicer way to put it? Do I wish I had some great news to those merchants? Sure …. but I DO NOT. Neither does anybody else [at least not anybody else honest].
Use of Windows XP with no ability to obtain and apply security updates violates at least these PCI DSS requirements (quoted from PCI DSS v3):
- “6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.” [of course, the fact that the vendor no longer publishes said patches does NOT absolve you of this responsibility!]
- “11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved.” [of course, there will be high-risk vulnerabilities in XP post its sunset date … just you wait!]
- “11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections“ [as a side note, a pentester who cannot break into a vulnerable XP box probably isn’t]
In addition, the systems will NOT be able to achieve a passing external vulnerability scan from your ASV [now, why you’d expose an XP box to the outside is beyond me, but stupider things have happened. One word: telnet].
UPDATE: as my readers correctly pointed out, there are two exceptions to this:
- Windows XP Embedded (used in some devices) will still be supported until January 12, 2016
- Microsoft does offer “custom support” for Windows XP that organizations can buy (it is expensive though – even though Microsoft is lowering the maximum cap they charge)
UPDATE2: PCI Council does have an official FAQ entry on this topic and I really should have included a link [thanks for pointing this out!] So: “Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?” [the answer is of course "No, not without compensating controls"]
Does it mean that it is absolutely impossible to be compliant-while-using-XP? No, of course not! PCI DSS and the Magic of Compensating Controls can make you compliant in no time [eh…actually, it would take some time and a fair amount of work, but it sure sounded great, didn’t it? : – )].
What are some of the possible compensating control for “not patching” and running vulnerable systems in general [of course, you should not take any control advice from a blogger, analyst and PCI DSS book author, but only from your QSA : – )]
- Host IPS (HIPS)
- Application whitelisting
- Some fancy virtualization isolation (?)
Frankly, I don’t believe that NIPS and better network segmentation will do, but feel free to ask that QSA to be sure. For more vulnerability mitigation advice, also see “Solution Path: Vulnerability Assessment, Mitigation and Remediation” and “Vulnerability Assessment Technology and Vulnerability Management Practices” documents [Gartner GTP access required]
Additional research on retiring Windows XP can be found here [Gartner access required]:
- How to Protect Your PCs If You Are Still Running Windows XP in April 2014
- Custom Support Will Be Available for Windows XP at a Price
- Best Practices for Secure Use of XP After Support Ends
Posts related to PCI DSS: