If you have WindowsXP systems and you also accept credit cards, you won’t be for much longer. The operating system that was once installed on more than 800 million computers is rapidly approaching its expiration date. Microsoft’s product support for WindowsXP finally ends April 8th, 2014 – FOREVER.
It’s been estimated that WindowsXP currently resides on nearly 1 out of every 3 installed desktops, 75% of ATMs, and more than 30% of POS Systems, with the latter two particularly in the cross-hairs. Come April 8th, if you are in banking or any type of retail operation that accepts credit cards, and are still using WindowsXP-based systems to process ATM or credit card transactions, you may very well find yourself out of and dealing with other severe regulatory compliance issues. Do you have a plan in place to migrate off XP? Have you started upgrading your systems yet?
If you answered “No” to either question, then I know what is keeping you up at night.
Although usage is dropping, it isn’t happening fast enough. KAL, a company that specializes in ATM machine software, estimates by the time April 8th comes around, only of 420,000 U.S.-based ATMs will have upgraded to Windows7. As for POS systems, accurate estimates are hard to come by. Trustwave believes for the 100,000+ POS systems running Trustwave’s TrustKeeper, Agent’s POS endpoint security product, the percentage of WindowsXP POS systems in the field is significantly higher than 30%.
PCI Data Security Standard Requirement states merchants must…
“Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.”
With Microsoft no longer offering security fixes for WindowsXP, this key section of the PCI DSS “Requirement 6: Develop and maintain secure systems and applications” knocks you right out of compliance.
Why have so many companies waited so long to migrate off WindowsXP?
The harsh reality boils down to the economic balancing act we face in setting business priorities – barebones budgets, inadequate resources, constrained timeframes, and inescapable politics. In this case, the time to act has a hard target date – April 8, 2014. If deemed non-compliant in an audit, penalties for merchants could run into the tens of thousands of dollars per month depending on merchant level status.
There are also certain aspects to the WindowsXP end-of-life (EOL) that make this transition unique. The operating system was developed in an era where mobile usage was occasional. Networking involved dedicated cables. Remote access used hard-wired phone lines. The world has changed significantly since 2001.
We are entering into a hyper-mobile, data-gathering era where devices communicate wirelessly and constantly – from our cell phones, to gym shoes, to the clothing we wear. With this fluid transfer of information comes the ability to just as easily move viruses, spyware, malware or other malicious code.
So what can you do?
#1. Temporarily implement compensating controls.
This first option is temporary, weak and difficult at best. You would invest significant dollars and a tremendous amount of effort on a transitory fix. Developing compensating controls would be difficult, because every compensating control requires a risk analysis. In addition, merchants are not likely to have the resources or access to WindowsXP source code to identify new vulnerabilities or develop their own security patches.
If you are considering pursuing this path, a resource is available at the PCI Security Standards Council (SSC) website – the . You would need to work closely with your (QSA) and your merchant partner before taking on any type of compensating control strategy.
#2. Install and integrate a P2PE system.
A second option is to utilize a (P2PE) process to allow your organization additional time to work through an overall upgrade strategy.
“A point-to-point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.”
Quoted as more of a “Holy Grail” solution, P2PE attempts to reduce the merchant’s responsibility for PCI compliance by taking the credit card data out of their hands. The process involves a third party provider, in combination with secure devices (PEDs) and encrypted processes, from the moment the credit card is swiped, until the data lands in the third party’s hands.
At best, P2PE is currently challenging and complex to implement. At worst, it can initially be expensive and problematic to maintain. The process for internally qualifying scope reduction can be daunting. In addition, other organizational workflow processes involved, outside of P2PE in handling PCI credit data, remain in scope and can negate possible scope reductions or potential cost savings.
Read more on the dangers of Outsourcing your Compliance issues.
#3. Migrate off WindowsXP.
The third, and most likely approach, is to migrate off WindowsXP. Investing in upgrading your organization’s infrastructure, to take advantage of future economic opportunities, might be immediately difficult, but is the best long term strategy.
Next Steps
There are no easy answers or quick fixes here. It is worth noting that Microsoft recently announced an extension of its anti-malware support for WindowsXP to mid-2015.
If you wish to continue to conduct business using credit cards and ATMs, remain PCI compliant, AND address your organization’s security vulnerabilities, you will need migrate off WindowsXP as quickly as possible.
