That situation leaves a choice. The first option is to migrate from Windows XP or implement compensating controls. The second is buying replacement apps or rewriting old ones so they perform well on Windows 7 or 8/8.1. Another option businesses have is to pay Microsoft for extending XP support also costly, but something that can buy time until a better solution is in place.
Some merchants that should comply with PCI could fly under the radar for a while without doing anything to address Windows XP non-compliance, he says. While it's not advisable, they are not compelled to have security audits unless a merchant bank or credit processing service provider requires it and that doesn't happen all the time, Collins says.
PCI doesn't require all businesses to meet the updated operating system requirement. If credit card data is collected by a business, encrypted using keys that are not in control of that business and passed off to a separate entity for processing and storage, the collecting business doesn't have to comply with the requirement to a fully patched and supported operating system, Akins says.
Still, the best option is to upgrade, Collins says. "It's difficult to envision a case where the cost of upgrading is greater than the cost of compensating controls," he says.