By Natasja Bolton, Acquirer Support Manager
It’s suspected that several of the large retail chains that suffered major data breaches in the past few years were running 14 year old software Windows XP Embedded SP3, a Windows XP operating system version that is used by retailers of all sizes in their Point-of-Sale (POS) systems, and which passed the date of End of Extended Support from Microsoft on 12th January 2016.
This means Microsoft will no longer be making critical security updates available even if new security vulnerabilities are identified.
Microsoft support for Windows XP ended back in 2014; however support for other variations of the operating system, Windows Embedded for Point of Service SP3, continues for a few more months until 12th April 2016.
Sysnet expect that if large retailers are continuing to use, and be compromised as a result of using, out of supporting Windows embedded operating systems in the POS environment, it is very likely that small retailers are too.
If your customers are still using a version of Windows XP for which critical security updates are no longer being provided they put themselves at considerable risk of being breached. If a data breach does occur then they may be found to be non-compliant even if they have previously validated as PCI DSS compliant.
They will have to demonstrate how the intent of PCI DSS Requirements 6.1 and 6.2 is being met; using an unsupported OS they won’t be able to fulfil these requirements. Unless they have developed and implemented a compensating control to address the risks associated with not being able to patch critical security vulnerabilities.
Additionally, if an unsupported operating system is Internet-facing, it will be detected and reported as an automatic failure by their ASV scan.
Any compensating control a customer intends to rely on should be short-term, include a migration plan and consist of protection mechanisms that are clearly ‘above and beyond’ the requirements of PCI DSS; just implementing anti-virus on the POS tills will not manage the risk to the merchants.
Sysnet believes development and support of a sufficiently robust compensating controls would be beyond the means and technical capability of most small businesses.
These controls would have to include additional controls such as logging/blocking the usage of removable storage, Bluetooth and infrared on the affected systems, implementing host-based firewall/IPS and isolating the affected systems so that if they are compromised they cannot impact other systems on the retailer’s network.
Taking necessary steps
At Sysnet we recommend that you immediately reach out to your customers and inform them of the risks involved in continued use of non-supported operating systems such as Windows XP, our Merchant Contact Services can assist by carrying out an outreach service on your behalf. Request a call back today to find out more.
If you are a merchant that requires technical or PCI DSS help, please click here