[ This sponsored article was written by IDG Creative Lab, a partner of PCWorld, and not by PCWorld's editorial staff. ]
Compliance standards exist to provide a baseline for customer privacy and data protection. Regulatory requirements like SOX, HIPAA, and PCI-DSS are the rules that ensure companies are doing what it takes to guard sensitive information from unauthorized access. Businesses face legal and financial consequences for non-compliance, but perhaps the biggest risk of being out of compliance is loss of customer confidence – a major problem for any business’ bottom line.
Not all companies fall under all regulatory requirements. SOX (Sarbanes Oxley) only applies to publicly-traded companies, while HIPAA (Health Insurance Portability and Accountability Act) only affects businesses that deal with personal health information. However, almost every business must comply with the requirements of PCI-DSS (Payment Card Industry Data Security Standard)—rules put together by the credit card providers to govern data protection. PCI-DSS applies to any business that accepts, transmits, or stores credit card data – virtually every business that takes payments.
PCI-DSS is an industry framework, not a law, but being out of compliance can cost you. Not only can the credit card providers levy fines against businesses that don’t maintain compliance with PCI-DSS standards, they can also revoke your company’s ability to accept credit card payments. Not to mention, failing to properly secure sensitive customer information and credit card data could impact your reputation and lose customers.
The PCI Data Security Standards council recommends, for instance, that businesses only use approved PIN-entry devices at the point of sale, and point-of-sale or Web shopping cart software that has been validated. They provide a list of approved devices and payment software options on their site. Merchants should use wireless routers with encryption and password protection, and strong passwords.
And that’s not all of it. Small businesses should probably seek expert guidance to understand which compliance mandates affect them, and what steps to take to achieve and maintain compliance. One of the most important steps to maintaining compliance across the board – which is sometimes a no-brainer – is making sure your business software and hardware is getting all of its updates and patches applied as timely as possible. New threats to your network are born every day, so having the latest programs and protections is key. That goes double for your operating system, which governs the security of everything your company does.
Windows XP is out of compliance
Although support for Windows XP has officially expired, thousands of businesses around the world continue to rely on the aged operating system. That might be acceptable for some organizations, but businesses in industries that are governed by compliance mandates may not have the luxury of sticking with XP.
Tyler Reguly, manager of security research for Tripwire—an approved PCI-DSS scanning vendor, explains that PCI-DSS requires businesses to conduct a scan at least quarterly by an ASV (approved scanning vendor). He notes that PCI-DSS is very clear that an unsupported operating system is an automatic failure.
Put more clearly, Reguly says, “Now that XP is out of support, it would register as a failure on PCI ASV scans. This would mean that PCI-DSS compliance would not be possible for organizations running Windows XP.”
“Let's be realistic,” stressed Reguly. “If you find out that a company is still making use of Windows XP, especially after hearing the horror stories on the news, is that really a company you want to do business with? I was concerned when I discovered my dentist still had Windows XP and made sure I fully understood their reasoning and the way they used it before I booked another appointment.”
The scope of PCI-DSS compliance is limited to systems that deal with or impact credit card data, so you can still use Windows XP on PCs that are not connected to a network or to the Internet for standalone applications. But Windows XP can’t be on any PC connected to the public Internet, or on any PC that has any contact whatsoever with PCs that process, transmit, or store any credit related information. Those systems need to be upgraded immediately to a supported operating system Windows 7 or 8 Professional.
To remain compliant, organizations should either replace older PCs with new ones that come with supported operating systems installed, or upgrade the operating system on the existing hardware. SMBs reluctant to upgrade or migrate on their own can call in expert support. HP XP Migration Services helps move your Windows XP systems to Windows 7 Professional or Windows 8 Pro as seamlessly and painlessly as possible.
This story, "Protect Your Bottom Line by Making Sure Your Business is Compliant" was originally published by BrandPost.