PCI-DSS, GDPR And End Of Life Operating Systems

Posted: Friday, December 6, 2019

Author: David Tuck

Does your company take credit card payments? Do you have systems that are going end of life in January 2020?

If the answer to these questions is yes, then you need to be aware that when mainstream support stops for these systems, so does your ability to be PCI DSS compliant.

Article 6.2 of the PCI DSS requirements states;

“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release”

If the vendor is no longer supporting your operating systems, you will no longer be compliant with the PCI DSS standard, which may have a significant impact on your companies’ ability to continue to take credit card payments.

Not being compliant will at the very least lead to raised charges on your credit card transactions and if continued, can lead to non-compliance fines and ultimately having the ability to take credit card payments removed. Also, if you have a breach, you will be liable for the cost of a PCI forensic investigator which can often run to thousands of pounds.

If this isn’t bad enough then remember if you do have a breach of credit card data, it’s likely to also lead to a breach of personal information. This can potentially lead to a fine from the Information commissioner office of up to 4% of your turnover. Running non-supported software would be considered as failing Article 5(1) Principe 6 that data must be “processed in a manner that ensures appropriate security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”.  As you have not maintained the appropriate measures.

If you run any of the following;

  • Microsoft Hyper-V Server 2008
  • Microsoft Hyper-V Server 2008 R2
  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server Update Services 3.0
  • Windows Storage Server 2008;

or any other non-supported systems and they are used in your environment to take or process credit card information, then you need to act now to ensure you don’t fail your next compliance scan.


Our web site uses cookies. They allow us to give you the best browsing experience possible and mean we can understand how you use our site. You can delete and block cookies but parts of our site won't work without them. By using our web site you accept our use of cookies.