4 min read
NIST Update to Format Preserving Encryption Standard affects PCI Use Cases
Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev 1 "Recommendation...
1 min read
CG Blogger : Dec 20, 2020 10:07:14 PM
Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft “Support Lifecycle” [2] can be misunderstood, leading to compliance confusion and unnecessary work.
Software used within a Cardholder Data Environment (CDE) must have the capability to receive security updates per requirement 6.2 of the Data Security Standard (DSS). Additionally, the Business-As-Usual Best Practices of the DSS requires organizations to confirm software continues to be supported. If the software is no longer supported then you may no longer be PCI compliant.
If security is a serious concern for your organization, staying ahead of the support curve can improve the overall security of your systems. Newer operating system versions generally include new or improved security features [See 4].
General Purpose Windows XP should have been phased out by Q2 2014, and upgrading of Vista machines should be nearing completion by the end of 2016.
Point of Sale systems running Windows 7 will receive extended support until January 14, 2020 which provides breathing room for those businesses who have yet to upgrade to Windows 10.
The different Microsoft support phases; Mainstream and Extended, include different support offerings. Basically, end of mainstream support means no new service packs and features. Security updates continue until the end of Extended support (For details see Microsoft references [2, 3, 5]). This also means you may no longer be PCI compliant once the Extended support of Microsoft products ends.
The table below shows the expiry date of the Extended support of Windows products. The products are also organized as Server, Desktop, and Embedded.
Note: products shown in italics are past Mainstream support.
End of Extended Support | Product | Server | Desktop | Embedded |
---|---|---|---|---|
April 8, 2014 | Windows XP SP3 | ● | ||
April 8, 2014 | Windows Exchange Server 2003 Standard | ● | ||
July 14, 2015 | Windows Server 2003 Standard | ● | ||
January 12, 2016 | Windows XP Embedded | ● | ||
April 11, 2017 | Windows Vista | ● | ||
April 9, 2019 | Windows Embedded POSReady 2009 | ● | ||
January 14, 2020 | Windows 7 SP1 | ● | ||
January 14, 2020 | Windows Server 2008 | ● | ||
January 10, 2023 | Windows Server 2012 Standard | ● | ||
January 10, 2023 | Windows Embedded 8/8.1 Pro | ● | ||
January 20, 2023 | Windows 8.1 | ● | ||
October 14, 2025 | Windows 10 | ● |
Additionally, read our blog about PCI DSS version 3.2- What You Need to Know to Stay PCI Compliant.
4 min read
Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev 1 "Recommendation...
Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their...
6 min read
PCI DSS v4.0 is coming and will bring big changes. The exact nature of the changes aren’t yet available as the standard is still evolving under the...