We have talked about the end of support for Microsoft XP at length and its implications for users in regards to security and licensing, but thought it would be important to also make our clients and friends aware of the potential for non-compliance with PCI-DSS for any organizations using Point-Of-Sale (POS) payment application environments.
Requirement 6 in the PCI-DSS documentation requires that all users “Develop and maintain secure systems and applications.” Because Microsoft will no longer issue security updates after April 8th, this requirement will no longer be met. And just in case this is too vague, look at Requirement 6.1 (Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Deploy critical patches within a month of release).
Microsoft will continue to provide updates to its malware signatures in products such as System Center Endpoint Protection through June 2015. However, Microsoft would still refer to Windows XP after April 8, 2014 as ‘unsupported.’ So it could come to pass that malware may be detected, but Microsoft may not provide fixes in every case, leaving the customer to alternative mitigation strategies. Be aware that support for Office 2003 expires on the same date. Microsoft has not released any information concerning continued security-related support for this product.
As we have said before, we recommend making the switch to a newer OS to ensure you receive critical software updates and maintain a secure environment. PCI compliance is yet another reason to necessitate this switch.