An Issue You Will Need to Deal With Sooner Than Later – Microsoft Windows XP Embedded‘s End of Life is in January.
XP Embedded, the workhorse of the modern Point of Sale age is going away. After a more than 14 year run, extended support for the product is ending. The reason? Vulnerabilities in older encryption protocols such as TLS 1 will no longer be supported by Microsoft as they cannot get them to new standards on Windows XP based operating systems. This will essentially render all systems with the XP operating system to be non-PCI compliant effective January 13, 2016.
Included in this group are:
- Microsoft Windows Embedded XP
Not updating your POS system to a compliant operating system will put your POS environment in violation of PCI compliance in at least 3 areas (quoted from PCI DSS v3: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf):
- “6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.”
- “11.2.1 Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved.”
- “11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections
This means if you are running a POS system with Windows XP, you have to do something now. Please contact us (http://www.rdspos.com) for an assessment on if your environment is at risk.
By Patrick Solum