What Windows XP End of Life Means for PCI DSS & Device Security
As perhaps you’ve heard by now, Microsoft will be ending support for Windows XP on Tuesday, April 8, 2014. Specifically, there will be “no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates,” as a Windows Embedded blog stated in February.
What some might not realize is how that affects those regulated by PCI DSS compliance requirements, most notably updated from 2.0 to 3.0 late last year. While Microsoft.com does call out compliance as a potential risk of staying with Windows XP, they only refer to HIPAA compliance as it affects the healthcare industry and its vendors.
PCI DSS compliance affects the e-commerce and retail industry, and any organization that deals with credit cardholder data. As PCI DSS requirement 6.2 dictates:
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release. - PCI DSS Version 3.0 (PDF)
So, obviously, if patches are no longer available to Windows XP, those running on the OS won’t be in compliance with the PCI standard, which could potentially put tons of customer data at risk, as well as boot many organizations off of the Visa Global Registry of Service Providers (an official list of PCI compliant service providers) and the Visa Approved Vendor Program (vendors qualified to support those regulated by PCI DSS).
Another concern is the sheer amount of devices that run on Windows XP - the mass majority of ATM computers run on the OS. As our Security Evangelist Mark Stanislav stated in Windows XP Will Not Go Gentle Into That Good Night:
Oh, and don’t forget the number of “things” that run Windows XP – from kiosks to ATMs – which could dramatically impede the daily lives of millions of people if those machines were affected by this future lack of support and patching. Suffice to say, this situation is a much bigger deal than anyone running Windows XP still would like to openly admit.
Windows XP Professional for Embedded Systems will end support on April 8, 2014. However, for ATMs that run on other versions of Windows XP Embedded, they will still be supported through early 2016, and others, through 2019. Those include:
- Windows XP Embedded Service Pack 3 (SP3) - Jan. 12, 2016
- Windows Embedded for Point of Service SP3 - April 12, 2016
- Windows Embedded Standard 2009 - Jan. 8, 2019
- Windows Embedded POSReady 2009 - April 9, 2019
Another potentially critical issue points to the medical device manufacturing industry. InfoSecIsland.com reports that a number of these manufacturers also use embedded XP for the GUI (graphical user interfaces) to medical devices, as well as to provide links to external medical databases that house the data collected and used by the devices, meaning they could also be left vulnerable to zero-day malware or operating errors. Aside from introducing serious medical errors to the industry, these devices will also fail to meet HIPAA compliance come April 8, as mentioned earlier.
Device security is becoming even more of a concern, particularly with the recent consumer interest in the Internet of Things (IoT). Learn more by watching our Duo Tech Talk video on security in the time of IoT presented by Don Bailey, or by reading about our recent security community initiative, BuildItSecure.ly!