I am looking for an opinion on a specific PCI Level 1 compliance situation. A merchant is using IBM 4690 emulation software running on a Windows NT workstation in each store. The merchant is willing to put compliance compensating controls in place (e.g., network isolation, firewalls, rootkit analyzers, user access controls, etc.) to basically lock down the environment and leave only potential physical security risks of direct workstation access. (Several of the compensating controls are already on place.)

My question is - do you believe the acquirer will ever agree that this can be considered a compliant environment (i.e., are you aware of any merchants doing this today?), or because the environment incorporates Windows NT, is there no way the acquirer will accept the configuration as compliant?



Your insights are greatly appreciated!

You should first not be asking us, but ask your (or your merchant's) acquirer. But to arm you with some insight this is the place to be.

First, compensating controls can be considered for any PCI requirmement other than 3.2.x. The use of Windows NT, which has been EOL by Microsoft, violates at least requirement 6.1 (patch management).

What I would do is fill out the compensating controls worksheet (available as an Appendix in the Security Audit Procedures) and determine if it properly mitigates the risk. I can tell you that other companies have done similar things so that should not discourage an acquirer from accepting this. The question is, does it properly protect the credit card data?

Also, you may want to ask if this is a short-term or a long-term compensating control. Either way you need to re-evaluate it each year, but this may have some impact on what your acquirer will say.

If a vendor (in this case Microsoft) doesn't issue patches for an OS (Windows NT) for whatever reason, does that violate 6.1.x? I think one can argue that if it's in the patch management system/process but there are no patches issued by the vendor, it's current on its patches.

Now, is it intelligent to use EOL'd OSes? Definitely not. But I think you have to invalidate NT's PCI compliance on the fact that it's EOL'd and that it is not considered a secure OS, not on the fact that it's not patched, which it likely is if they have applied every patch ever issued by Microsoft.

Now, is it intelligent to use EOL'd OSes? Definitely not. But I think you have to invalidate NT's PCI compliance on the fact that it's EOL'd and that it is not considered a secure OS, not on the fact that it's not patched, which it likely is if they have applied every patch ever issued by Microsoft.

Just out of curiousity what exactly do YOU consider a secure OS if not NT? :)