Microsoft have announced (here) that, after April 11th this year, “Windows Vista customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.”
Microsoft Vista was released on 30th January 2007; to put that date in perspective, Amy Winehouse ‘Back to Black’ was the number one album.
Vista came five years after the release of Windows XP, and was in turn replaced in October 2009 by Windows 7.
At its peak some 19% of Windows Users were running Vista, while XP retained 63% of the desktop market.
Today, Vista’s market share remains around 0.78%, but that’s still nearly 10 million PCs worldwide.
Of course, the PCI DSS Standard has this covered in sections 6, 11.2 and 11.3.
The PCI Security Standards Council – when Windows XP reached End of Service (EOS) in 2014 – stated that “PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.”
The PCI Security Standards Council’s FAQ can be found here:
As Microsoft themselves said in July 2014 “Payment Card Industry (PCI) policies will not be met with an operating system that is EOS.”
All this, of course, relates to a Merchant’s Cardholder Data Environment.
We at Compliance3 specialise in helping our customers de-scope their data environments by ensuring that customers’ card data never reaches their data environment.
If payment card data doesn’t reach your data environment, then your environment is not subject to PCI DSS, so no self-assessment. Or, if you transact more than six million card transactions per year, then no need for external audits by expensive Qualified Security Assessors.
Of course, we would never encourage you to continue using out-dated software, but we can certainly help you make sure (cost-effectively) that you’re not putting your customers’ card data at risk. Worth a chat?
Contact us to see how we can help your organisation.