This Blog article discusses the effect of Microsoft Sunset dates with PCI Compliance

1 min read

How Microsoft Support Expiry can Affect Your PCI Compliance

Featured Image

Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft “Support Lifecycle” [2] can be misunderstood, leading to compliance confusion and unnecessary work.

Impact on PCI

Software used within a Cardholder Data Environment (CDE) must have the capability to receive security updates per requirement 6.2 of the Data Security Standard (DSS). Additionally, the Business-As-Usual Best Practices of the DSS requires organizations to confirm software continues to be supported. If the software is no longer supported then you may no longer be PCI compliant.

If security is a serious concern for your organization, staying ahead of the support curve can improve the overall security of your systems. Newer operating system versions generally include new or improved security features [See 4].

General Purpose Windows XP should have been phased out by Q2 2014, and upgrading of Vista machines should be nearing completion by the end of 2016.

Point of Sale systems running Windows 7 will receive extended support until January 14, 2020 which provides breathing room for those businesses who have yet to upgrade to Windows 10.

What are the Differences between Mainstream and Extended Support?

The different Microsoft support phases; Mainstream and Extended, include different support offerings. Basically, end of mainstream support means no new service packs and features. Security updates continue until the end of Extended support (For details see Microsoft references [2, 3, 5]). This also means you may no longer be PCI compliant once the Extended support of Microsoft products ends.

Windows Operating System Support Lifecycle

The table below shows the expiry date of the Extended support of Windows products. The products are also organized as Server, Desktop, and Embedded.

Note: products shown in italics are past Mainstream support.

End of Extended Support Product Server Desktop Embedded
April 8, 2014 Windows XP SP3    
April 8, 2014 Windows Exchange Server 2003 Standard    
July 14, 2015 Windows Server 2003 Standard    
January 12, 2016 Windows XP Embedded    
April 11, 2017 Windows Vista    
April 9, 2019 Windows Embedded POSReady 2009    
January 14, 2020 Windows 7 SP1    
January 14, 2020 Windows Server 2008    
January 10, 2023 Windows Server 2012 Standard    
January 10, 2023 Windows Embedded 8/8.1 Pro    
January 20, 2023 Windows 8.1    
October 14, 2025 Windows 10    

Additionally, read our blog about PCI DSS version 3.2- What You Need to Know to Stay PCI Compliant.


  1. Are operating systems that are no longer supported by the vendor non-compliant with the PCI DSS?
  2. Microsoft Support Lifecycle Policy
  3. Windows lifecycle fact sheet
  4. What does the end of support of Windows XP mean for Windows Embedded?
  5. Microsoft Product Lifecycle Search Tool

This Week's [in]Security - Issue 271

Welcome to This Week’s [in]Security. Non-Compliance Lesson, DSSv4 related, Skimmers, Other Payments. New breaches: 7 breachers per capita, Shields &...

Read More

Non-Compliance Lesson No. 4: Keep your head in the cloud when adopting new technologies

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

Read More

“Follina” – Critical Zero-Day Exploit for Microsoft Products


Over the past holiday weekend, a tweet from Tokyo-based security researcher “nao_sec” first identified an interesting upload to antivirus...

Read More