How Microsoft Support Expiry can Affect Your PCI Compliance
Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft “Support Lifecycle”  can be misunderstood, leading to compliance confusion and unnecessary work.
Impact on PCI
Software used within a Cardholder Data Environment (CDE) must have the capability to receive security updates per requirement 6.2 of the Data Security Standard (DSS). Additionally, the Business-As-Usual Best Practices of the DSS requires organizations to confirm software continues to be supported. If the software is no longer supported then you may no longer be PCI compliant.
If security is a serious concern for your organization, staying ahead of the support curve can improve the overall security of your systems. Newer operating system versions generally include new or improved security features [See 4].
General Purpose Windows XP should have been phased out by Q2 2014, and upgrading of Vista machines should be nearing completion by the end of 2016.
Point of Sale systems running Windows 7 will receive extended support until January 14, 2020 which provides breathing room for those businesses who have yet to upgrade to Windows 10.
What are the Differences between Mainstream and Extended Support?
The different Microsoft support phases; Mainstream and Extended, include different support offerings. Basically, end of mainstream support means no new service packs and features. Security updates continue until the end of Extended support (For details see Microsoft references [2, 3, 5]). This also means you may no longer be PCI compliant once the Extended support of Microsoft products ends.
Windows Operating System Support Lifecycle
The table below shows the expiry date of the Extended support of Windows products. The products are also organized as Server, Desktop, and Embedded.
Note: products shown in italics are past Mainstream support.
|End of Extended Support||Product||Server||Desktop||Embedded|
|April 8, 2014||Windows XP SP3||●|
|April 8, 2014||Windows Exchange Server 2003 Standard||●|
|July 14, 2015||Windows Server 2003 Standard||●|
|January 12, 2016||Windows XP Embedded||●|
|April 11, 2017||Windows Vista||●|
|April 9, 2019||Windows Embedded POSReady 2009||●|
|January 14, 2020||Windows 7 SP1||●|
|January 14, 2020||Windows Server 2008||●|
|January 10, 2023||Windows Server 2012 Standard||●|
|January 10, 2023||Windows Embedded 8/8.1 Pro||●|
|January 20, 2023||Windows 8.1||●|
|October 14, 2025||Windows 10||●|
Additionally, read our blog about PCI DSS version 3.2- What You Need to Know to Stay PCI Compliant.
References: – Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS? – Microsoft Support Lifecycle Policy – Windows lifecycle fact sheet – What does the end of support of Windows XP mean for Windows Embedded? – Microsoft Product Lifecycle Search Tool
Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant.