Navigating PCI 4.0 and End-of-Life Software

PCI DSS 4.0 12.3.4

If you are a PCI DSS compliant organization, you should know about an upcoming control in PCI DSS 4.0 to prevent the use of outdated (aka end-of-life or EOL) software; control 12.3.4. This control requires an organization to check at least yearly whether they are running any end-of-life software then put together a plan to upgrade them. This requirement is a best practice until 31 March 2025, after which it will be required and will be fully considered during a PCI DSS assessment.

EOL and PCI DSS Compliance

EOL software is a product that the manufacturer has stopped selling, supporting, and patching. The manufacturer considers the software or device to be "obsolete". This means there are no more security patches shipped to the product putting it out of compliance with 12.3.4. This also leaves the product potentially vulnerable to security issues that won't be addressed which can put your organization in violation of PCI DSS control 6.2.

In order to comply with control 12.3.4 in PCI DSS 4.0, it's essential to track then upgrade any EOL software that your organization uses from operating systems to programming packages (think .NET or Javascript libraries your application teams are using).

Xeol and PCI DSS Compliance

Xeol can be the source of truth for all the software your organization is using, their versions, and their end-of-life or support status. Continuous scanning will allow you to stay ahead of EOL dates and give you ample time to upgrade your software before your next PCI audit.