There are ways around it, but upgrading may be simpler, cheaper
When Microsoft stops supporting Windows XP next month businesses that have to comply with payment card industry (PCI) data security standards as well as health care and financial standards may find themselves out of compliance unless they call in some creative fixes, experts say.
Strictly interpreted, the PCI Security Standards Council requires that all software have the latest vendor-supplied security patches installed, so when Microsoft stops issuing security patches April 8, businesses processing credit cards on machines using XP should fall out of PCI compliance, says Dan Collins, president of 360advanced, which performs security audits for businesses.
But that black and white interpretation is tempered by provisions that allow for compensating controls – supplementary procedures and technology that helps make up for whatever vulnerabilities an unsupported operating system introduces, he says.
These can include monthly or quarterly reviews of overall security, use of software to monitor file integrity and rebooting each XP machine every day in order to restore it to a known safe state, says Mark Akins, CEO of 1st Secure IT, which also performs compliance audits. That safe state can be reset using a Microsoft tool called SteadyState that was built for XP but not later versions of Windows.
“Risk is the factor,” he says, and mitigating it is the goal, but the mitigations must reduce risk just as effectively as the original regulatory requirement that is not being met. To some extent that is a subjective call, and depending on the auditor businesses may have more or less flexibility in what compensating controls are deemed OK, says Akins.
Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) financial regulations have provisions similar to those in the PCI standard, says Collins. In fact, PCI provisions are pretty much the baseline for the other two, which have some additional requirements tacked on, he says. So the issue goes well beyond businesses that handle credit cards.
These workarounds may sound good to businesses that haven’t upgraded to Windows 7 or 8/8.1 yet, Akins says, but it’s not likely to save any time, effort or money. “For IT it’s easier to upgrade to Windows 7 or 8 versus implementing file integrity monitoring and installing SteadyState,” he says.
Compensating controls can place a big load on IT departments because, for example, updating anti-virus software daily or constantly monitoring for file integrity or for evidence of intrusions, Collins says, isn’t simple. “It’s an arduous task,” he says.
“Compensating controls should be as short-term as possible,” and used only in order to keep key business applications running. Some legacy or proprietary business-critical software runs best or only runs on Windows XP, he says, and there are no feasible alternatives yet. “It’s a major issue if the software deployed is unstable on newer versions of Windows.”
That situation leaves a choice. The first option is to migrate from Windows XP or implement compensating controls. The second is buying replacement apps or rewriting old ones so they perform well on Windows 7 or 8/8.1. Another option businesses have is to pay Microsoft for extending XP support – also costly, but something that can buy time until a better solution is in place.
Some merchants that should comply with PCI could fly under the radar for a while without doing anything to address Windows XP non-compliance, he says. While it’s not advisable, they are not compelled to have security audits unless a merchant bank or credit processing service provider requires it – and that doesn’t happen all the time, Collins says.
PCI doesn’t require all businesses to meet the updated operating system requirement. If credit card data is collected by a business, encrypted using keys that are not in control of that business and passed off to a separate entity for processing and storage, the collecting business doesn’t have to comply with the requirement to a fully patched and supported operating system, Akins says.
Still, the best option is to upgrade, Collins says. “It’s difficult to envision a case where the cost of upgrading is greater than the cost of compensating controls,” he says.