#padss

Sin nada más que agradecer por este maravillosa experiencia, luego de haber aprobado la certificación de 3° nivel y de reparación y mantenimiento de #PAX #TeamLab #Repost @sitiouno ・・・ Equipo tecnico de nuestro Centro de Servicios PAX en Venezuela. #technology #tecnologia #mediosdepagos #banca #sitioUNO #siteone #servicecenter #venezuela #elpaisquequeremos #productonacional #level3 #training #cursopospax #pci #padss #emv #security (en La Yaguara Caracas)

Seriously now .. WHAT I’M DOING WITH MY LIFE

Securities are offered through Sikich Corporate Finance LLC, a registered broker dealer with the Securities Exchange Commission and a member of FINRA/SIPC.

While a number of people feel the anticipated changes will make certain requirements more stringent, Jacob points out that, “Some of the changes that look like an increase in rigor on a specific requirement are already happening with forward-thinking and rigorous assessors.”

Our friend and colleague, Walt Conway, posted [a great column on the Windows XP sunset](http://storefrontbacktalk.com/securityfraud/windows-xp-end-of-life-could-cripple-pci-compliance/) over at StorefrontBacktalk in February. For those of you who aren’t aware, the support lifecycle for Windows XP comes to an end [one year from today](http://support.microsoft.com/lifecycle/?ln=en-us&c2=1173). Twelve months may seem far off, but if you depend on these systems within a secure environment, or one subject to any sort of regulatory compliance, you’d better have had a transition plan in place yesterday. We hope to make enough noise about this issue that nobody can ignore it. There are a few particular points regarding this looming date that we’d like to raise a clamor about: 1. We’ve been here before and we’ll be here again. Microsoft’s support lifecycle for every one of their products [is published](http://support.microsoft.com/lifecycle/), and has been for years. Yet, when one of their operating systems reaches the end of that lifecycle, it’s always a shock to a large number of people. We’ve seen this effect as recently as 2010. In July of that year, Windows 2000 went end-of-life (EOL). Although the operating system (OS) was 10 years old at that point, there were still a large number of Windows 2000 machines out there (and our penetration testers still find some on occasion!). However, we expect that the impact for XP will be significantly greater. We fear that it will be a victim of its own success, and Vista’s failure. When Windows XP was launched on December 31, 2001, it was adopted pretty quickly. For enterprise environments, it was an improvement on Windows 2000 Professional, and for consumers and small business, it was a vast improvement over Windows 98/ME. When Windows Vista launched, it was panned by critics and abhorred by system administrators. While Windows 7 has been much better received (jury is still out on Windows 8), the fracas caused by Vista meant that many were holding on to XP as long as they could. For some, “as long as they could” translates to April 8, 2014. Once those users get that date behind them, there will be a few more that they’ll want to put on the calendar. Here are some notable EOL dates from Microsoft: + 07.14.2015 – Windows Server 2003 + 01.12.2016 – Windows XP Embedded + 04.11.2017 – Windows Vista + 01.14.2020 – Windows 7 + 01.14.2020 – Windows Server 2008 and 2008 R2 2. For a select few, there may be a loophole. One date you may notice up there is the one for Windows XP Embedded. For some point of sale (POS) system users, this could represent a temporary loophole. However, many POS systems run on the garden variety of XP. If you’re running XP Embedded, the fact that this version was released after the general release and is designed for longer-life systems just bought you a little more time (don’t waste it). 3. Regarding whether an EOL OS is noncompliant, the Payment Card Industry Security Standards Council (PCI SSC) has come down on both sides of the argument, with caveats for each. One of Walt’s points in his column is that the PCI Data Security Standard (DSS) does not explicitly bar an organization from using an EOL operating system. The PCI DSS contains specific requirements (see Requirement 6) calling for installation of vendor-supplied patches to address vulnerabilities. An OS which is no longer supported does not have such patches available, but nowhere does the phrase “end-of-life” appear in the standard. This is absolutely true. The standard does not explicitly state that EOL operating systems are noncompliant. In fact, the PCI SSC answers this question in their [FAQ](https://www.pcisecuritystandards.org/faq/): >Would older operating systems that are no longer supported by the vendor be deemed non-compliant with the PCI DSS? >FAQ Response >Systems that use operating systems that are no longer supported with new security patches by the vendor, OEM, or developer are not necessarily out of compliance. Compensating controls could address risks posed by using older operating systems… The FAQ goes on to spell out a potential path for a compensating control. However, compensating controls can get tricky. Compensating controls are required to actually go “above and beyond” the requirements, not simply provide alternative risk mitigation to meeting them. For instance, when a newly discovered remote exploit is published, meeting the requirement may involve patching the software to prevent that single vulnerability. Going above and beyond could be removing that system’s network connection entirely, to prevent this exploit or any other remote vulnerabilities from being executed. When we went through the Windows 2000 EOL period, we dealt with a number of organizations attempting to leverage compensating controls in order to keep their Win2k systems running in their cardholder data environment. The organizations posited that they could stay abreast of any newly published vulnerabilities and address them as they arose. While that concept may meet the letter of the PCI DSS requirements, it doesn’t quite meet that “above and beyond” benchmark. It may be possible, but it’s impractical to think that any mitigation could be as effective or efficient as that performed by the OS vendor. Don’t forget, actually implementing a system to keep on top of newly discovered vulnerabilities requires teams of engineers at Microsoft. It’s highly unlikely that another organization could do that more cost effectively than upgrading their OS. Although, if you’re based in the Redmond, WA area, there may be some XP engineers looking for work… If you’ve read this far, it looks like the PCI SSC is staying relatively neutral on the subject. Keep reading. For those who still wanted to pursue the compensating control option, we had another resource from the PCI SSC that we wanted to make sure they were aware of — the [ASV Program Guide](https://www.pcisecuritystandards.org/pdfs/asv_program_guide_v1.0.pdf). On page 15 of that guide begins a table of Required Components for PCI DSS Vulnerability Scanning. The second entry in that table, at the top of page 16, mandates that scans perform certain tests on identifiable operating systems. The column for “ASV Scan Solution must” contains this text: >The ASV scanning solution must also be able to determine the version of the operating system and whether it is an older version no longer supported by the vendor, in which case it must be marked as an automatic failure by the ASV. OS identification, as called for in this requirement, is more of an art than a science. It’s not 100% reliable. However, if you have an EOL operating system exposed to the Internet, and it’s able to be identified, you have trouble. Besides just the unpatched vulnerabilities this situation introduces into your environment, it will also cause an automatic failure of your scans. A failing scan means that Requirement 11.2.2 is not met. So there you have it; the PCI SSC stating that EOL operating systems identified in a vulnerability scan are noncompliant. While we’d hope the number of desktop operating systems, like Windows XP, exposed to the Internet would be low, we find a large number of them in our scans daily. Regardless of whether a system is exposed to the Internet or able to be identified in an ASV scan, that stipulation in the ASV Program Guide, combined with Requirement 6 of the PCI DSS, should be taken as a definitive statement – EOL operating systems are a no-go for PCI compliance. 4. This isn’t just a PCI issue. Walt’s piece focused on what impact the transition away from Windows XP will have on merchants running POS systems. However, PCI is not the only field in which this date is significant. Practically any regulation calling for the use of secure systems is going to require that known vulnerabilities be patched. For instance, while [HIPAA](http://www.403labs.com/compliance/hipaa) doesn’t explicitly set minimum requirements for an operating system, the Department of Health & Human Services [does spell out some things](http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html) that need to be part of any systems that contain electronic protected health information (PHI). That requirement calls for the patching of vulnerabilities to be covered in an organization’s [risk assessment](http://www.403labs.com/professional_services/risk_assessments). If the manufacturer no longer publishes patches for vulnerabilities, that risk factor skyrockets. Windows XP served us well, but it’s time to put it out to pasture. We’ll continue to raise a ruckus about this upcoming transition. If you haven’t already, we’d suggest examining your options and putting a plan in place. If you’re not the one in your organization who makes those decisions, maybe you should consider making a ruckus too, to get their attention.