Water and oil, cats and dogs, toothpaste and orange juice, Detroit Lions and Super Bowls — there are many things that simply don’t mix well. You can add Windows XP and compliance to that list now.
Many companies, large and small, have relied on Windows XP for years, and it hasn’t been an issue for compliance. However, all of that changed on April 8, 2014, when Microsoft support for the operating system expired.
To my knowledge, none of the major compliance frameworks have come out with any specific statements or guidance labeling Windows XP as non-compliant. However, even without such overt declarations, an unsupported operating system — by definition — violates some of the core tenets of most compliance efforts.
In general, regulatory and industry compliance frameworks like PCI-DSS, Sarbanes-Oxley (SOX), Health Insurance Portability and Accessibility Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) don’t call out specific platforms or tools. Compliance requirements are typically written as broad guidelines to provide a baseline for security and data protection without endorsing any specific solution or painting the compliance framework into a corner using technology that might be obsolete next year.
Some requirements might simply specify that the operating system must have the most current patches applied. One could make an argument that as long as any updates for Windows XP up through April 8 have been installed, that this requirement is met, because those would be the “most current” patches available. Such an argument clearly violates the spirit of compliance, even if it doesn’t explicitly violate the letter of the rules.
In some cases, risk can be mitigated through compensating controls. In English, that means that performing more frequent audits of security configurations, implementing additional layers of defense (such as firewalls, file integrity monitoring, intrusion detection / prevention, or other security tools), or including supplemental processes or technologies might be used to reduce the overall risk and stay in compliance.
Tyler Reguly, security research manager for Tripwire, points out that there is no such gray area, however, for PCI-DSS. The PCI-DSS Approved Scanning Vendors (ASV) Program Guide specifies on page 18: “The ASV scan solution must be able to verify that the operating system is patched for known exploits. The ASV scan solution must also be able to determine the version of the operating system and whether it is a version no longer supported by the vendor, in which case it must be marked as an automatic failure by the ASV.”
According to Reguly, the bottom line is, “Now that XP is out of support, it would register as a failure on PCI ASV scans. This would mean that compliance against PCI-DSS would not be possible for organizations running Windows XP.”
Even if we assume that Windows XP somehow doesn’t inherently violate SOX, HIPAA, or other common compliance frameworks simply by being unsupported, the reality is that almost every company falls under the jurisdiction of PCI-DSS. The PCI-DSS standards apply to all organizations that store, process, or transmit cardholder data. It is exceptionally rare to find a business that doesn’t process credit card transactions today — even food trucks and farmer’s markets swipe credit cards from their smartphones using tools like Square.
Granted, the guy selling tomatoes at the farmer’s market using Square on his iPhone probably doesn’t realize or care that he technically falls under PCI-DSS guidance. Businesses that store, process, or transmit cardholder data do fall under PCI-DSS rules, though, and using Windows XP puts them at risk of no longer being able to do so.
Many companies that continue to use Windows XP have cited cost, or a lack of business need as justification for clinging to the legacy OS. However, remaining compliant is a clear business need as well, and continuing to use Windows XP will ultimately cost more than proactively migrating to a newer, supported operating system. Do you agree? Share your thoughts in the discussion thread below.