Windows XP End of Life & PCI Compliance

posted Oct 16, 2013, 1:45 PM by Kyle Killoren   [ updated Dec 18, 2013, 1:23 PM ]
As the deadline for Windows XP extended support draws near, many local businesses are left considering their options. After April 8th, 2014 any merchant still processing integrated credit cards on XP will no longer be compliant according to PCI-DSS requirement 6.1:

“Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release."

Since Microsoft will stop putting out security updates for XP after this date, any users still on XP technically won't be able to have the "latest vendor supplied security patches". This means you will have to upgrade your back office computer (and any registers swiping credit cards), to a more current OS such as Windows 7 or 8.

Here is the link for merchants to find out more:

As a courtesy to our customers, we will be providing some helpful information to determine who is affected and how they can beat the compliance deadline. Check out the PDF attached below for more information on the PCI-DSS regulations, or give a call at (314) 427-6143. We'd be happy to look over your system, give a compliance evaluation, and upgrade any equipment necessary to make sure your business is fully protected.

Here is a link to the PCI Compliance Guide's website that has a lot of useful information, including the penalties for non-compliance, as well as common myths and frequently asked questions

   As word spreads about the Windows XP deadline, Cash Control Business Systems has been proactively contacting our remaining XP customers one on one to formulate a personalized plan to get them switched over so they won't have to rush as April approaches. If you have any comments or suggestions, please give us a call. 

For more information, here is the link to another interesting article from Tech Page One:

Windows XP: The end of the road

Instead of dealing with overarching issues like the effects of global warming or the best path to a cancer cure, today we will deal with an issue that’s closer to home and our work place. It’s an incontrovertible fact that the viable life of Windows XP has come to an end. Even the date its demise has been set: Microsoft will pull the plug on Windows XP April 8, 2014. After that date there will be no more security updates. To sum it up, there will be no more support for Window XP.

Image credit: IDC/Flexera

Image credit: IDC/Flexera

When Microsoft stops providing patches for Windows XP, that operating system will be extremely vulnerable. Hackers are already salivating at the opportunity to take over unsuspecting computers. When they find a zero-day or other flaws in the operating system, they will have access to millions of these old XP computers. Notice that I say “when” rather than “if” because it is only a matter of time before exploits will be found. Since there will be no patch from Microsoft, anyone who continues to use Windows XP after April 8 will be at the mercy of hackers and in grave risk of having their XP computer seriously compromised. No firewall or anti-virus software will give them adequate protection.

In its heyday, Windows XP was the world’s most popular operating system. Many corporations computerized their systems with Windows XP and an enormous amount of proprietary software was developed for it. At one time Windows XP had an installed user base of more than 800 million computers. Windows XP is still running on 39 percent of the computers currently in use as of this writing.

Even if the Windows XP base sinks to 10 percent of what it once was, hackers will still have millions of computers to target. Hackers have a “the more, the merrier” mentality. They always target operating systems that have a large installed base. The flimsy security of Windows XP and the lack of official support after April will ensure that hackers will be working diligently to break into these systems. Remember that while the security built into Windows XP was state of the art when it was released in 2001, Windows XP is now a rickety 12-year-old operating system. Even though security was increased with Service Release 2, it cannot compare to the security provided by Windows 7 or Window 8.

For both individuals and organizations, there is a cost and time investment in migrating to new computers. However, the alternative of having insecure computers is not an option. Those who continue to use Windows XP after the termination date, will face even higher costs and time investments when their computer systems are compromised—and if they are connected to the Internet, they will be compromised in short order after the April 8th date.

It’s not just the Windows XP operating system that’s going to be vulnerable to hackers. Many, if not most, applications running on Windows XP will no longer be supported by the application vendors because it won’t be economically worthwhile for them to keep supporting programs written for such an outdated operating system.

Unfortunately, some companies are taking a dangerous wait-and-see attitude regarding the migration to Windows 7 or Windows 8.

joint study of more than 750 respondents by research firm IDC and Flexera Software showed that approximately half of the respondents had completed less than 75 percent of their migration. Only a minority of organizations have completed their migration.

Even more surprisingly, a Camwood survey of 250 IT decision makers from companies of more than 2,000 seats show that less than half of large U.K. organizations have started the migration away from Windows XP.

Image credit: IDC/Flexera

Image credit: IDC/Flexera

Those who are taking the “if it isn’t broken, don’t try to fix it” attitude will quickly find that after April 2014, Windows XP will be broken and will need to be fixed. Moving to Windows 7 or 8 now is a far better economic proposition than putting off the inevitable until the spring of 2014. In addition, these newer versions of Windows will provide better overall security as well as the ability to implement some of the latest technologies including BYOD, consumerization of IT,   always-on, and easier migration to the cloud.

It’s easy to blame Microsoft for stopping Windows XP support. However, it has supported it for 12 years which is an astonishingly long time to keep supporting a software product. Microsoft actually extended its normal 10-year product lifespan by two years for this product.

If your organization hasn’t yet started or completed the migration to Windows 7 or 8, you need to stop right now and assess your progress or lack thereof. With the amount of proprietary software written specifically for Windows XP and the length of time that it was in use, migrating to a newer operating system will be lengthy and problematic for some organizations. Outside expertise may be needed. We’ll be covering XP migration and aspects of what to assess over the next few weeks to help you take the necessary steps to make the change. There are many options available, including Dell which provides end-to-end device and operating system migration for organizations of all sizes.

Make the move now because waiting until April 2014 is sure to put a bigger drain on your company’s finances and an added stress on both your IT and executive staff.

Kyle Killoren,
Oct 16, 2013, 1:45 PM