Windows XP: What It’s Sunset Means for Merchants and POS?

Markiyan Malko |

March 6, 2014

Windows XP

Microsoft’s extended support of Windows XP, the operating system originally launched in August 2001, is coming to an end. Effective April 8th, Microsoft will no longer provide technical support or issue security patches for Windows XP. While the vast majority of Windows users are currently using Windows 7, Windows XP still represents approximately 29 percent of the market. The sunset of Windows XP could present major challenges as there are still a large number business owners and retailers using Windows XP to power their business and/or their point-of-sale (POS) system.

In addition to the lack of technical support from Microsoft, there are also indications that merchants who do not immediately update their system(s) will be in violation of current PCI (Payment Card Industry Security Standards Council) compliance standards. According to PCI DSS requirement 6.1, merchants must, “ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed” and “install critical security patches within one month of release.” With no support from Microsoft or another authorized vendor, there will be no additional security patches, meaning that Windows XP will be subject to increasingly vulnerability over time. 

Beginning in April, ASV scans will flag any systems using Windows XP and automatically fail the scans, which will result in immediate non-compliance with PCI DSS. The hackers that target payment systems are well aware of what POS software is likely to be on XP machines and will be targeting those heavily, especially once there is a vulnerability that is discovered after the sunset date passes. 

Current Windows XP Users

If you're a retailer reading this you are likely using Windows XP and are trying to figure out how migrate off of it, or at least you should be. Luckily for merchants, most POS software that is PA-DSS certified has support for Windows 7/8. New Windows versions also have great support for running older applications in 'compatibility mode' which might allow you to run your older software on a newer operating system. Unfortunately, not all hardware will be compatible with Windows 7/8 so some merchants may need to upgrade their system and peripherals. Furthermore, the POS software providers will often have a charge for the newer versions of the application unless the merchant has an ongoing support contract that covers upgrades. There is also the hurdle of the upgrade itself since it's not a trivial click through upgrade but rather a fresh install. This means that you must first export and save any data from the POS such as inventory data and order history and then import it back in once the upgrade is complete.

Non-POS Windows XP systems

One important fact to keep in mind is that PCI DSS applies to your whole cardholder processing environment. This means that even if your POS system is up to date, any other machines that are connected to the same environment must also be compliant or must be segmented out. Many businesses have back office machines that they use to run their business (payroll, jukebox, etc.) and they are typically sitting on the same network as their POS. It's important to identify these systems and either remove them off the network or upgrade them as well.

Going Beyond

With a little more than a month left until the sunset date there isn't much time to upgrade. Hopefully, you already have a path for upgrading to a compliant version of Windows or have identified a new solution to use instead. There are some best practices that you should be following and looking for when upgrading to a new system. First, you should ensure that your POS software supports point to point encryption (P2PE), sometimes called end to end encryption (E2EE). Utilizing hardware such as encrypted card readers minimizes risk by ensuring that that cardholder data is immediately encrypted in the card reader and before it is passed to the POS machine. The POS application simply uses the encrypted card data as if it were the regular data and passes it to the gateway/processor for processing. The POS machine and application do not have a way to decrypt the track data and access the card number so even in the event that the machine is compromised, the risk of losing unencrypted cardholder data is greatly reduced.

It is common practice for solutions that support P2PE to utilize tokenization in order to support full feature functionality. Tokenization is a practice to replace sensitive cardholder information with a token that cannot be reversed back into cardholder data. The token is generated by the gateway/processor once the transaction has been processed and should be directly tied to a single merchant (or chain). Tokens are important for supporting auxiliary transactions like voids, returns or tip adjustments without requiring the need for the card number to be presented.

Additionally, there has been a trend to remove the card processing functionality from the POS and offload it to a dedicated solution that obfuscates the sensitive cardholder data from the POS altogether. The common term for these solutions is 'semi-integrated' and these types of systems are quite common outside of the U.S. due to the complexity of EMV transactions. A semi-integrated solution typically involves a consumer facing device which communicates directly with the gateway/processor and does not require the POS to process the transaction. The POS software simply requests an amount to be collected and lets the consumer facing device collect and process the sensitive cardholder data and return the receipt details to the POS for presentment. There is no degradation of the consumer experience as the flow of the transaction is unchanged and allows for easier updating of the merchant's systems as there is segmentation of their card processing systems.

What if I'm Stuck With XP?

In the unfortunate event that you cannot immediately migrate away from Windows XP, there are a few solutions that can be implemented although they’re by no means ideal. The quickest and cheapest remedy is to remove the card processing functionality from your POS system and utilize traditional stand-alone credit card terminals. This will be a burden to cashiers and the back office employees responsible for reconciling funds, but it does remove the vulnerable Windows XP system from the picture. There are also more advanced optoins such as white listing that can lock down the system to only allow approved applications to execute. This solution will likely need to be viewed as a compensating control with regards to PCI DSS and should get the sign off from a QSA to ensure it was implemented correctly. Even in the scenario of white listing being an acceptable compensating control, it is still highly recommended to use best practices such as P2PE, tokenization and semi-integrated devices to reduce the risk of a breach.