Red Hat 6 End of Life, how does it affect PCI DSS compliance?

In November of 2020, the operating system Red Hat 6 went to end of life after 10 years of an active maintenance phase. Red Hat 6 is now in a one-year phase called the Extended Life Phase that will complete in November of 2021; that phase is already halfway complete.

During the Extended Life Phase, there will be no more work done on the Red Hat 6 version. There will be no more bug fixes, security fixes, software enhancements or minor releases. Technical support will also be limited during this phase and is restricted to existing installations. If a package update is required to solve a problem, only packages released during the maintenance phase will be available. Note that the Extended Life Phase is a paid subscription and is only available to those with an active subscription.

If your platform is under the scope of PCI DSS, and you have yet to migrate to Red Hat Enterprise Linux (RHEL) 7 or 8, you may face compliance problems. In particular, requirement 6.2 states: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.” Installing critical security patches within 30 days is now impossible since new security patches will not be released.

Requirement 5 in the PCI DSS requires antivirus software to be installed on systems “commonly affected by malware”. My experience with Qualified Security Assessors is that RHEL systems generally are not categorized as systems commonly affected by malware in contrast to Windows operating systems. However, a very old RHEL 6 operating system that has reached end of life may very well be categorized as commonly affected by malware. This will require you to install third party antivirus software since there is no built-in virus protection in RHEL 6.

Requirement 3 and 4 in the PCI DSS requires you to encrypt the storage and transmission of cardholder data with industry accepted encryption. As encryption algorithms and protocols are constantly evolving, having a legacy system such as RHEL 6 might make having industry accepted encryption a problem in the future, especially since PCI DSS is moving towards the encryption of all internal network traffic as well.

In conclusion, I strongly recommend migrating to later major versions of RHEL 6 as soon as possible if you are a payment card industry entity that needs to comply with the PCI DSS since there some major compliance issues to be concerned about. The requirements mentioned above are just the tip of the Iceberg.