Hi, I have a customer who is running an EOL version of a CMS. The CMS in question has been heavily customised and so can't be simply upgraded to the next clean version.
My question is how do I handle that for PCI compliance. I understand that EOL software is a instant fail but in this case the software has been heavily modified. How would I go about making a case for it with regards to PCI compliance.
I have already asked for evidence that the modifications cover known exploitable issue etc.
Any help would be greatly appreciated!