Typically my messages and insights shared in Hospitality Upgrade revolve around security and ways to simplify PCI compliance. After all, I consider myself first and foremost a merchant advocate. This message is a little different; it’s more of a heads-up on a little-known PCI regulation that could cause you major problems in the near future.

On April 8, 2014, Microsoft’s extended support for Windows XP will cease. This could be a problem for many hoteliers because requirement 6.2 of the PCI Data Security Standards (PCI-DSS) tells us to “ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.” Once Microsoft ends their extended support, they’ll stop supplying security patches, which means properties still running Windows XP will be immediately out of compliance with PCI.

How Your OS Affects Compliance
The PCI Security Standards Council’s position on this subject is that if a vendor, in this case Microsoft, no longer supports a system component by issuing security patches, merchants running that component in their card data environment cannot check “In Place” on their next Self-Assessment Questionnaire. In case you weren’t aware, in order to be PCI-DSS compliant, all in-scope requirements must be checked “In Place.”

If you are running an unsupported OS, and it is accessible from the Internet, you will receive an automatic PCI failure on your next authorized scanning vendor (ASV) vulnerability scan and will immediately be deemed non-compliant with the PCI-DSS. The ASVs are required to automatically fail a scan upon detecting an unsupported OS.

What Should You Do?
If you will be affected by the Microsoft sunset event for Windows XP, then you should immediately consult with your merchant services provider (MSP) or merchant bank and your ISA or QSA so they are aware and can provide guidance. If you already have a plan to upgrade, then congrats – you’re ahead of the game. 

If you don’t have a plan or a budget allocation to upgrade to a supported OS, you have one other option – use Compensating Controls (see PCI-DSS Appendices B & C). This method is neither simple nor inexpensive, so I would certainly not recommend it, but for some it may be a necessity. Your particular situation should be discussed with your MSP/merchant bank and your ISA or QSA to determine your best course of action.

Update From IE8, While You’re at It
While we’re on the subject of updates, you should also make a point to move away from Internet Explorer 8 (IE8). Many websites have already begun to cease support for their sites on this outdated version. If you’re currently using IE8, you might have already received an annoying pop-up screen informing you of this when trying to access certain sites. Microsoft’s support of IE8 is scheduled to end when they terminate mainstream support for Windows 7 (Service Pack 1) on January 13, 2015. While extended support for IE8 will be offered, the cost for this support will be considerable and you will be missing out on new functionality, as well as the latest security enhancements.

Internet Explorer versions 9, 10, and 11 will continue to be supported by Microsoft after this date, so they are all valid alternatives (as are current versions of Firefox, Chrome, Safari, and a host of others), so  reach out to your IT department/contact for advice before updating your browser.

PCI can be a pain in the neck; we all know that. I would hate to see any of my friends in the industry lose their hard-earned (and expensive) stamp of compliance over a simple browser update. So get on it and may your updating process be a smooth and successful one.