We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy.
By continuing to use this site, or closing this box, you consent to our use of cookies.

Blog home
Blog post

If You Use Window XP – You Are NOT PCI DSS Compliant!

By Anton Chuvakin | April 10, 2014 | 0 Comments

securitypatchingcompliance

It should be *painfully* obvious to anybody that in a few short weeks [or maybe now, depending on how you interpret it] any merchant using Windows XP systems or devices inside the cardholder data environment (CDE) will NOT be PCI DSS compliant – unless they use stringent compensating controls.

Now, do I wish there was a nicer way to put it? Do I wish I had some great news to those merchants? Sure …. but I DO NOT. Neither does anybody else [at least not anybody else honest].

Use of Windows XP with no ability to obtain and apply security updates violates at least these PCI DSS requirements (quoted from PCI DSS v3):

  • “6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.” [of course, the fact that the vendor no longer publishes said patches does NOT absolve you of this responsibility!]
  • “11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved.” [of course, there will be high-risk vulnerabilities in XP post its sunset date … just you wait!]
  • “11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections“ [as a side note, a pentester who cannot break into a vulnerable XP box probably isn’t]

In addition, the systems will NOT be able to achieve a passing external vulnerability scan from your ASV [now, why you’d expose an XP box to the outside is beyond me, but stupider things have happened. One word: telnet].

UPDATE: as my readers correctly pointed out, there are two exceptions to this:

  • Windows XP Embedded (used in some devices) will still be supported until January 12, 2016
  • Microsoft does offer “custom support” for Windows XP that organizations can buy (it is expensive though – even though Microsoft is lowering the maximum cap they charge)

UPDATE2: PCI Council does have an official FAQ entry on this topic and I really should have included a link [thanks for pointing this out!] So: “Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?” [the answer is of course “No, not without compensating controls”]

Does it mean that it is absolutely impossible to be compliant-while-using-XP? No, of course not! PCI DSS and the Magic of Compensating Controls can make you compliant in no time [eh…actually, it would take some time and a fair amount of work, but it sure sounded great, didn’t it? : – )].

What are some of the possible compensating control for “not patching” and running vulnerable systems in general [of course, you should not take any control advice from a blogger, analyst and PCI DSS book author, but only from your QSA : – )]

  • Host IPS (HIPS)
  • Application whitelisting
  • Some fancy virtualization isolation (?)

Frankly, I don’t believe that NIPS and better network segmentation will do, but feel free to ask that QSA to be sure. For more vulnerability mitigation advice, also see “Solution Path: Vulnerability Assessment, Mitigation and Remediation” and “Vulnerability Assessment Technology and Vulnerability Management Practices” documents [Gartner GTP access required]

Additional research on retiring Windows XP can be found here [Gartner access required]:

Posts related to PCI DSS:

Comments are closed