New ‘End of Life’ or ‘Obsolete Software’ Vulnerabilities for PCI Compliance

Document created by George Tabet on Sep 8, 2010Last modified by eschamp on Nov 11, 2010
Version 4Show Document
  • View in full screen mode


New ‘End of Life’ or ‘Obsolete Software’ Vulnerabilities for PCI Compliance:


QID 105359, 105360, 105361, 105362, 105363



The PCI Council has announced that any Systems which are no longer supported by the Vendor are to cause a Fail for PCI Compliance. This is based on the fact that since these systems no longer have regular vendor patching cycles, they are at an increased risk of potentially being compromised, thereby leading to further risk of credit card compromise.


Qualys, as an ASV, must report any End-Of-Life Systems as a Fail for PCI. You can however, ask your Acquiring Bank for an "exception", as they ultimately have the responsibility to decide if they are willing to accept the risk to cardholder data. In this case, when submitting your PCI Reports, you can ask for a temporary exception, letting them know of your planned upgrade or migration schedule.



Qualys Support KnowledgeBase