The Windows 7 End of Support and PCI DSS Compliance Dilemma

There are a host of issues for organizations when an operating system goes out of support or end-of-life (EOL)—security patches are not readily available as new vulnerabilities emerge and attackers target systems; the cost of doing business associated with the unsupported system escalates rapidly; and the stress on resources to manage the dated system increases as the organization attempts to keep associated applications and processes running and functional on an ever-increasing volatile operating environment.

Compounding these security and operational issues, there are serious regulatory compliance concerns associated with running unsupported operating systems. Organizations must have alternate or compensating controls to ensure they meet the needs of the security controls required to stay compliant. Failing to satisfy the security mandates and controls associated with cybersecurity regulations can often jeopardize the financial well-being of the company. 

These implications are bad when an operating system goes into a non-supported state. But after the cool-off period (when the OS vendor may provide security patches “for a cost”, and varies depending on the schedule of that vendor), the OS reaches its official lifespan and there are no longer band-aid solutions to keep the system safe from cyber-attacks. That is, once this end of life date is reached, maintaining compliance becomes a difficult process.

In January 2023, the Windows 7 OS quietly went “end of support” across the globe. As of that date, organizations that were still running the OS would have to find alternate solutions to protect data. These alternate solutions would be outside of extended support contracts that may have been purchased to provide emergency patches against the vulnerabilities used to exploit the unprotected systems.  The end of support date is especially important because Windows 7 has been so widely used throughout the market—particularly within highly targeted verticals such as retail and healthcare.  Included in the end of support date for the Windows 7 OS are also Windows Embedded Standard 7, Windows Embedded Standard (WES), and Windows Server 2008/2008R2 for Embedded Systems. Many of these versions are still used for critical business processes within some retail and payment systems. 

Adding to this urgency, Windows 7 POSReady, a popular POS operating system which was used exhaustively within front end retail environments, will go out of support (beyond EOL and no possible extended support patches) in October 2024.

To uphold their regulatory compliance responsibilities, organizations need to ensure that they have planned and implemented compensating security controls to avoid penalties and fines associated with operating high-risk systems in their production environment. 

One such regulatory compliance law that affects many in the industry—and that should be considered carefully with Windows 7 still being used in production environments—is the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to ensure the protection of credit card data during storage, processing, and transmission. It applies to any organization that handles payment card information, irrespective of size. Compliance with PCI DSS is not only necessary to maintain customer trust but also to avoid hefty fines and penalties that can result from data breaches. 

With the constantly evolving landscape of technology, staying in continuous compliance with PCI DSS is an ongoing challenge. The end of support of Windows 7 has added a new layer of complexity to this challenge.

Let’s dive into the regulatory implications that organizations will confront with respect to PCI DSS as they address the Windows 7 devices in their IT environments:

  • Requirement 6: Develop and Maintain Secure Systems and Applications: PCI DSS Requirement 6 mandates the development and maintenance of security controls that ensure the protection of systems and applications used for conducting business. Running Windows 7 which can no longer receive security updates will expose an organization to vulnerabilities that malicious actors can exploit. This poses a significant compliance risk.
  • Requirement 6.2: Ensure All System Components are Protected from Known Vulnerabilities: This requirement involves identifying and ranking vulnerabilities to install applicable vendor-provided security patches to the highest risk gaps. Since Windows 7 will no longer have any security patches, organizations still using this OS cannot directly meet this requirement.
  • Requirement 6.3: Develop Software Applications Securely: Organizations relying on Windows 7 integrations and alignment may face challenges in developing and maintaining secure software and applications that can meet PCI DSS guidelines, as the development environment itself is no longer secure.
  • Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data: Without the latest security updates, monitoring and tracking access to sensitive data becomes even more critical. The absence of security patches in Windows 7 might hinder an organization’s ability to effectively track and respond to security incidents.

So what can organizations do to address the issues that arise from the presence of Windows 7 systems? There are a few remediation and mitigation strategies they can implement:

  1. Upgrade to Supported OS: The most straightforward approach to addressing the regulatory implications is to upgrade to a supported operating system. However, in some large production environments, such as a large retailer, it’s not as easy as throwing a switch to move away from the unsupported OS.
  2. Segmentation and Isolation: If upgrading immediately is not feasible, then segmenting or isolating systems that are still running Windows 7 can help.
  3. Compensating Controls: Implement additional compensating controls to mitigate the risks associated with running Windows 7. These could include:
    • Enhanced monitoring and vulnerability hunting
    • Advanced asset intelligence mechanisms that can triangulate the association between systems, users, and vulnerabilities
    • Robust access controls combined with data enrichment from multiple intelligence sources to help preempt attacks that may be targeting your systems.

The convergence of PCI DSS compliance and the Windows 7 end-of-support represents a considerable challenge for organizations that operate within the payment card industry. With the immense size of many organizations, the temptation to delay upgrades and implement changes is strong, but the regulatory implications and consequences associated with the security risks of running an unsupported and un-patchable operating system cannot be ignored. By adopting proactive measures, such as upgrading to supported OS, implementing compensating controls, and seeking expert guidance, organizations can save themselves stress and navigate regulatory challenges effectively while maintaining the security and trust of their customers.

Want to see how an IT asset intelligence solution like Sevco Security can identify end-of-life devices in your environment? Watch our “Sevco Security Short” on that topic from Brian Contos, Chief Strategy Officer, below.

And schedule time with Sevco today to see how we can help your organization.

Share This Post: