April 1, 2014

Windows XP Warning: The Time to Update Is NOW

Windows XP Warning: The Time to Update Is NOW

In January, we warned you that Microsoft would cease support for Windows XP very soon. Well, that time has come. After April 8, 2014, Windows XP is no longer receiving security patches or end-user updates from Microsoft, thereby making the operating system highly vulnerable after a new attack vector is discovered. This impacts you in two ways: first is the loss of PCI compliance, and second is the loss of system security.This Is Not a Requirement of Shift4
We would like to stress to our merchant customers that we had no part or influence on why Windows XP is no longer supported by Microsoft or that the PCI Council will deem your environment as “non-compliant” if you’re still using it. This information, and the steps you need to take to be PCI compliant, should have been coming from your merchant bank or ISA/QSA during your last assessment. Unfortunately, we’ve heard this hasn’t been happening, so we’re here to offer the information.

Why Your PCI Compliance Is Affected
Your compliance will lapse if running Windows XP because requirement 6.2 of the PCI Data Security Standard (PCI DSS v3) says to “ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.”

This means that if you are running Windows XP in your cardholder data environment, you cannot check “In Place” on your next Self-Assessment Questionnaire (SAQ). (Merchants can download the appropriate SAQ for their business, based on their transaction volume, by visiting: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php.)

Why Does This Happen?
Windows XP has been one of the most popular operating systems for both personal and business use, but the system is 12 years old now. Eventually, a vendor develops newer operating systems and decides to focus their full attention and resources on them. In this case, Microsoft has decided on an “end of life” date for the older operating system and after that date they no longer provide support for it. So while you can still access and use Windows XP and all of its applications like normal after April 8th, the system is no longer secure and you are no longer PCI compliant. (Read our accompanying article about the latest threat to POS systems, especially ones running on XP.)

Possible Actions If You Cannot Update Immediately
If you cannot or will not upgrade to a supported operating system, here are a few suggestions:

  • Switch Web browsers. Windows XP only supports Internet Explorer v8, which means that it’s at least two versions out-of-date and vulnerable now to some nasty exploits. Both Chrome and Firefox will be continuously updated on Windows XP 
  • Check with your antivirus vendor to determine when their support for Windows XP will terminate  
  • Check that user profiles are based on the least-privilege principle. If end users don’t need administrator accounts to perform their job functions, reduce their privileges 
  • Request that your IT team review your system configurations and disable all unnecessary services on Windows XP machines 
  • Be wary of vendors touting security patch support for Windows XP after April 8th. If you engage them, use caution and thoroughly test security updates on non-production systems, as they may fatally render your payment applications inoperable

Advice to those still running Windows XP: Consult with your merchant services provider (MSP) or merchant bank and your ISA or QSA immediately so they can provide guidance as to what your next steps should be.
Again, this is not an update offered by or a requirement made by Shift4 or DOLLARS ON THE NET®. But, if you have any questions please contact our Customer Support team at [email protected] or call 702.597.2480 (option 2).