Along with the rise in successful attacks on retailers, there has also been a rise in concern about the vulnerability of point-of-sale (POS) devices. Target, Subway, Nieman Marcus are all good examples of why a hacker would choose the POS device as their target. The rewards are both far reaching and highly lucrative.
Particularly with POS devices, it’s impossible to emphasize enough the difference between compliance and security. These cannot be equated and sometimes are not even in the same ballpark. Taking the Subway breach as an example, you can be PCI and PA-DSS compliant and still be exploited if you leave other security measures untended.
Ensuring you are following the guidance in NACS/PCATS 8-point plan is a good way to stay on top of those other security measures that can improve not only compliance, but also security. It provides guidance to a layered security approach to protect the POS devices beyond the local device. One of the most important elements is keeping the PA-DSS compliant software up to date and compliant, but also keeping any other applications residing on these systems patched and updated is imperative. Segmenting the POS devices, and eliminating internet access directly from the POS device further protects them. CERT’s Alert (TA14-002A), released in January 2014, emphasizes many of the same points for protection of the POS devices.
As we approach the Windows XP End of Life (EOL) in April, concerns have been raised regarding the broad reliance of ATMs on Windows XP Embedded. While XP Embedded is still supported until 2016, many of the systems supporting the ATMs will remain dependent on Windows XP and will go unpatched after April. This raises the concerns around letting platforms that will increase the risk of exploitation come in contact with POS devices.
Many banks have already been in negotiations with Microsoft to extend support for the support of these dependent XP systems. Extending the support for these systems will allow banks to deploy private-release critical security patches to them, but this may require additional effort on the part of the IT teams to package the private patches for delivery to the EOL systems. For companies choosing to extend XP support beyond the April EOL date, you should contact your vendor regarding custom patch support. Shavlik has done this in the past with the EOL of Windows NT and 2000 systems. We are already discussing this type of service for customers who know they will have a prolonged dependency on Windows XP.
Many of the banks will be moving to Windows 7 Embedded, but are holding off for a few years to wait for the chip and pin rollouts before performing the migration to Windows 7 Embedded. That will occur over the next few years. By the time most have made the switch, it will be time to start looking at the next migration, as they will have about three years until Windows 7 Embedded reaches its own EOL and the problem repeats.
Last week our content team released support for Windows 8.1 Embedded. For the Shavlik customers who have already been requesting support for this platform, it is available for you now. For those customers upgrading to Windows 7 Embedded, that is already supported as well. For more information, please visit http://www.shavlik.com/solutions/patch-management/