Windows XP can put SOX, HIPAA, credit card security-compliance at risk

When Microsoft stops supporting Windows XP next month businesses that have to comply with payment card industry (PCI) data security standards as well as health care and financial standards may find themselves out of compliance unless they call in some creative fixes, experts say.

Strictly interpreted, the PCI Security Standards Council requires that all software have the latest vendor-supplied security patches installed, so when Microsoft stops issuing security patches April 8, businesses processing credit cards on machines using XP should fall out of PCI compliance, says Dan Collins, president of 360advanced, which performs security audits for businesses.

+ Also on Network World: 9 must-do's if you must stick with Windows XP  | China prefers to stick with dying Windows XP rather than upgrade +

But that black and white interpretation is tempered by provisions that allow for compensating controls supplementary procedures and technology that helps make up for whatever vulnerabilities an unsupported operating system introduces, he says.

These can include monthly or quarterly reviews of overall security, use of software to monitor file integrity and rebooting each XP machine every day in order to restore it to a known safe state, says Mark Akins, CEO of 1st Secure IT, which also performs compliance audits. That safe state can be reset using a Microsoft tool called SteadyState that was built for XP but not later versions of Windows.

"Risk is the factor," he says, and mitigating it is the goal, but the mitigations must reduce risk just as effectively as the original regulatory requirement that is not being met. To some extent that is a subjective call, and depending on the auditor businesses may have more or less flexibility in what compensating controls are deemed OK, says Akins.

Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) financial regulations have provisions similar to those in the PCI standard, says Collins. In fact, PCI provisions are pretty much the baseline for the other two, which have some additional requirements tacked on, he says.  So the issue goes well beyond businesses that handle credit cards.

These workarounds may sound good to businesses that haven't upgraded to Windows 7 or 8/8.1 yet, Akins says, but it's not likely to save any time, effort or money. "For IT it's easier to upgrade to Windows 7 or 8 versus implementing file integrity monitoring and installing SteadyState," he says.

Compensating controls can place a big load on IT departments because, for example, updating anti-virus software daily or constantly monitoring for file integrity or for evidence of intrusions, Collins says, isn't simple. "It's an arduous task," he says.

"Compensating controls should be as short-term as possible," and used only in order to keep key business applications running. Some legacy or proprietary business-critical software runs best or only runs on Windows XP, he says, and there are no feasible alternatives yet. "It's a major issue if the software deployed is unstable on newer versions of Windows."

That situation leaves a choice. The first option is to migrate from Windows XP or implement compensating controls. The second is buying replacement apps or rewriting old ones so they perform well on Windows 7 or 8/8.1. Another option businesses have is to pay Microsoft for extending XP support also costly, but something that can buy time until a better solution is in place.

Some merchants that should comply with PCI could fly under the radar for a while without doing anything to address Windows XP non-compliance, he says. While it's not advisable, they are not compelled to have security audits unless a merchant bank or credit processing service provider requires it and that doesn't happen all the time, Collins says.

PCI doesn't require all businesses to meet the updated operating system requirement. If credit card data is collected by a business, encrypted using keys that are not in control of that business and passed off to a separate entity for processing and storage, the collecting business doesn't have to comply with the requirement to a fully patched and supported operating system, Akins says.

Still, the best option is to upgrade, Collins says. "It's difficult to envision a case where the cost of upgrading is greater than the cost of compensating controls," he says.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter @Tim_Greene.

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systemsPCI Security Standards Council

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place