How Microsoft Support Expiry can Affect Your PCI Compliance

By Doug Wright - 26 Jul 2016.

Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft “Support Lifecycle” [2] can be misunderstood, leading to compliance confusion and unnecessary work.

Impact on PCI

Software used within a Cardholder Data Environment (CDE) must have the capability to receive security updates per requirement 6.2 of the Data Security Standard (DSS). Additionally, the Business-As-Usual Best Practices of the DSS requires organizations to confirm software continues to be supported. If the software is no longer supported then you may no longer be PCI compliant.

If security is a serious concern for your organization, staying ahead of the support curve can improve the overall security of your systems. Newer operating system versions generally include new or improved security features [See 4].

General Purpose Windows XP should have been phased out by Q2 2014, and upgrading of Vista machines should be nearing completion by the end of 2016.

Point of Sale systems running Windows 7 will receive extended support until January 14, 2020 which provides breathing room for those businesses who have yet to upgrade to Windows 10.

What are the Differences between Mainstream and Extended Support?

The different Microsoft support phases; Mainstream and Extended, include different support offerings. Basically, end of mainstream support means no new service packs and features. Security updates continue until the end of Extended support (For details see Microsoft references [2, 3, 5]). This also means you may no longer be PCI compliant once the Extended support of Microsoft products ends.

Windows Operating System Support Lifecycle

The table below shows the expiry date of the Extended support of Windows products. The products are also organized as Server, Desktop, and Embedded.

Note: products shown in italics are past Mainstream support.

End of Extended Support Product Server Desktop Embedded
April 8, 2014 Windows XP SP3
April 8, 2014 Windows Exchange Server 2003 Standard
July 14, 2015 Windows Server 2003 Standard
January 12, 2016 Windows XP Embedded
April 11, 2017 Windows Vista
April 9, 2019 Windows Embedded POSReady 2009
January 14, 2020 Windows 7 SP1
January 14, 2020 Windows Server 2008
January 10, 2023 Windows Server 2012 Standard
January 10, 2023 Windows Embedded 8/8.1 Pro
January 20, 2023 Windows 8.1
October 14, 2025 Windows 10

Additionally, read our blog about PCI DSS version 3.2- What You Need to Know to Stay PCI Compliant.

References:

  1. Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?
  2. Microsoft Support Lifecycle Policy
  3. Windows lifecycle fact sheet
  4. What does the end of support of Windows XP mean for Windows Embedded?
  5. Microsoft Product Lifecycle Search Tool