End of Support for Windows Vista

Microsoft have announced (here) that, after April 11th this year, “Windows Vista customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft.” Microsoft Vista was released on 30th January 2007; to put that date in perspective, Amy Winehouse ‘Back to Black’ was the number one album. Vista came five years after the release of Windows XP, and was in turn replaced in October 2009 by Windows 7. At its peak some 19% of Windows Users were running Vista, while XP retained 63% of the desktop market. Today, Vista’s market share remains around 0.78%, but that’s still nearly 10 million PCs worldwide. Of course, the PCI DSS Standard has this covered in sections 6, 11.2 and 11.3. The PCI Security Standards Council – when Windows XP reached End of Service (EOS) in 2014 – stated that “PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems from known exploits, and these requirements would not be able to be met.” The PCI Security Standards Council’s FAQ can be found here: As Microsoft themselves said in July 2014 “Payment Card Industry (PCI) policies will not be met with an operating system that is EOS.” All this, of course, relates to a Merchant’s Cardholder Data Environment. We at Compliance3 specialise in helping our customers de-scope their data environments by ensuring that customers’ card...

CNIL Hit Microsoft with a Formal Notice

The Problem Since Microsoft’s release of Windows 10, in July 2015, excessive amounts of personal and usage data have been harboured from its users. Despite customers turning off all settings that may allow Microsoft to send data to their server in the US, user still have no control over this. Windows 10 harbours this information through their Cortana and Bing products. Windows 10 manages to do this by sending any ‘home searches’, ‘live tile’ searches as well as Internet inquiries via an unencrypted http data channel ‘threshold.appcache’. This is worrying as customers are not asked to consent to this. They aren’t even able to turn this feature off. There is also the issue of the unencrypted channel that leaves customers open to malicious actors. CNIL and Microsoft Since the French Data Protection Authority (CNIL) became aware of this seven online observations were carried out in April and June 2016. They have since questioned Microsoft Corporation on this. Microsoft interestingly said nothing to defend or deny the excessive data collection of Windows 10. They responded saying they were happy to comply with the CNIL and “understand the agency’s concerns fully and to work toward solutions that it will find acceptable.” Microsoft also address the reason behind the data being send back to the company’s US servers. They stated it was under the previously applicable ‘Safe Harbour Agreement’. Knowing now these regulations are no longer required they have said they will work towards the new requirements of the ‘Privacy Shield’ Despite these statements, the Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Microsoft on...