Storefront Backtalk recently reported on how the end of Windows XP will affect retailers who are concerned about PCI compliance. The end of this system will change things for those running XP. These retailers will face one of three different scenarios. How these retailers choose to address the situation will relate to the issue of PCI compliance as well as security. This may even end up in some fallout for the PCI Security Standards Council.
In about 14 months, Windows XP will be retired. This means that after that date Microsoft will no longer produce any kind of security patches for the system. Retailers that have point of sale systems or other kinds of payment systems running on Windows XP will not be PCI compliant anymore.
Retailers who are running point of sale systems on Windows XP should act as soon as possible. According to Storefront Backtalk, if retailers have not started moving to a more modern desktop, they are late. Retailers may be wondering how the end of an operating system’s life causes them to be noncompliant. The term end of life does not appear anywhere in the PCI Data Security Standards.
The reason that merchants cannot use a payment application running on an outdated system is that the condition runs up against the PCI DSS Requirement 6.1. According to this requirement, merchants have to, “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.” After an operating system has gone past the end of life point, the vendor does not release any new security patches or keep an eye out for new weaknesses.
Aside from the PCI DSS compliance issues, the retailers who have systems that have expired are setting themselves up to be a target of hackers. The hackers are able to scan merchants’ systems for signs of weakness. An end of life system can be an open invitation for hackers, particularly when there are unpatched vulnerabilities.
Retailers who are working with point of sale systems on Windows XP are likely to fall into one of the three following scenarios. In the first scenario, the retailer will try to switch to Windows 7 or Windows 8. To see if this is possible, the retailer can check the PCI SCC’s list of applications that are PA-DSS validated. A retailer should look under the “Tested Platforms/Operating Systems” to see what options are available. A check of the list shows that many of the applications that run on Windows XP also have alternate validated versions.
Other retailers may be thinking that the new version will never be available in time. However, it is true that some applications can be installed on a newer operating system, but that is not enough. The applications PA-DSS’s testing may require one to test on every platform. Just because a system can run on Windows 7 or 8 does not mean that it will be PA-DSS validated.
In the third scenario, the retailer may not know what impact this will have because they have a complicated point of sale system. This group of retailers includes those who have self-serve kiosks. The kiosks may have multiple interfaces that connect receipt printing, credit card acceptance, and display screens. This means that changing systems is very complicated.
These retailers are likely not going to be able to keep the end of life Windows XP operating system and just meet the requirements of 6.1. This is because they are probably not going to have the resources to find the vulnerabilities or to develop code to fix the problems in the system.
Creating a compensating control would be difficult because it requires risk analysis. It is possible that a retailer could combine enhanced monitoring with a host-based intrusion protection system.
Retailers should know that Window’s XP upcoming end of life may have an impact on PCI SSC’s list of validated applications. Normally, this kind of validation is good for three years, after which a new report on validation needs to be issued. An open question is whether the PCI SSC would accept Window’s XP applications this coming year when the system is going to expire in about 14 months. These are just some of the issues that retailers are facing due to the expiring Window’s XP system, and they should decide on a fix before it is too late.
You can read the original article here.
Image: The Consumerist @ Flickr.
The post Windows XP End of Life Affects PCI Compliance appeared first on Credit Card Processing.
