April 8th has come and gone and Windows XP is now officially retired. Microsoft is no longer supporting Windows XP and that means they will no longer patch bugs and security flaws in the software, making the utilization of Windows XP on your machines a major security threat.
Many people are now asking what this means to their organization and if it affects their organization’s PCI Compliance status. This is a great question to ask and crucially important to card security. The answer to this question can be quite complex, so let’s take a closer look. But first things first, if you are unsure if your machines run Microsoft XP, go here. Microsoft’s website will let you know which operating system your computer uses.
What Is At Risk?
It is important to note that regardless of how your organization’s PCI Compliance status is affected, it is highly recommended to update to either Windows 7 or Windows 8. Continuing to use Windows XP puts your work station(s) at risk, and there is more at risk than just card data on your computer. If a hacker is able to obtain access to your work station due to any security flaws in Windows XP, they have access to everything on that machine and everything that machine is connected to. This means other machines on the same network will also be available to the hackers, and they may be able to obtain any sensitive data that your organization stores such as any personal data you have on your customers or donors; a major privacy concern. They could also access any documents your organization stores that may have proprietary information, the annual report you are working on, new strategies you are planning, even email.
PCI Compliance Impact
If your organization accesses card data on your computers and they are using Windows XP or connected to a machine that uses Windows XP on the same network, it means that your organization is no longer compliant with the PCI Data Security Standards. This is due to question 6.1a of the PCI DSS which states: “Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?” Since Microsoft will no longer patch known vulnerabilities for Windows XP, the answer to this question has to be ‘No’, which means your organization would not be in compliance. The reason this standard is so important is that hackers have an arsenal of malicious software they can use including one of the most vicious, a keylogger, which tracks every key you press on your keyboard. Hackers can set these keyloggers to filter passwords, or when 16 numbers are keyed in a row (a card number), email it to themselves or collect it in a spreadsheet – all without you ever noticing what is happening.
How to Stay Secure
There are three ways you can resolve the PCI Compliance impact from Windows XP reaching its “end of life” and help to ensure security of your network and card data stored or entered onto your work stations:
- Isolate Windows XP machines – This means that you take them off of your network so they are not connected to other machines at your location.
- Upgrade to Windows 7 or Windows 8 on machines currently running Windows XP
- Alter your policies so that you do not store or enter card data
Updating Your Policies
The third option listed above may be one of the better ways to resolve the issue and here is why: Limiting your exposure to card data is the safest thing you can do. If your machines never see or enter card data, that means the cardholder is initiating the transaction (donation or purchase) themselves on their machine and that they are responsible to ensure the security of their machine. This can be a big change for organizations since many will enter the information for their cardholders if they receive a pledge card or a card holder calls and gives you the information over the phone. In the end, it may be worth it to make this change. Simpler PCI requirements and the peace of mind in knowing that your organization is not responsible for the entry of card data through your network and machines may be worth the transition in policies.
If updating your policies is not feasible due to the way in which your organization needs to run and support your cardholders, the best thing you can do is get in contact with your IT team or volunteers and ask them to help you upgrade your operating system or isolate machines running Windows XP. You can learn more about the impact of Windows XP no longer being supported with resources available on the Microsoft website here,and the PCI Council website here.
As always, we are here to support you. If you have further questions on how Windows XP may affect you or any of the tips we talked about above, be sure to let us know. You can leave us a question in the comments below, email us at firstname.lastname@example.org or reach out to us by phone at 800-811-7826.
If you have questions about PCI that you would like to see covered, let us know! Email us your thoughts or questions at email@example.com. We may be able to address them here on our blog!