In spite of a recent extension of anti-malware support, software expert James Stannard says the end of Windows XP product support could put store security and PCI compliance at serious risk
This, according to James Stannard, brand manager for Software at IT supplier and distributor Arrow OCS
, suggests that millions of enterprise users still haven’t decided whether to jump ship and upgrade or to weather the storm.
Microsoft has been extending the end-of-life programme for Windows XP in the hopes of migrating as many users as possible to Windows 8, the latest OS version.
And, while the software giant earlier this year announced it will continue to provide anti-malware support for Windows XP until July 2015, XP will still lose product support and reach its end-of-life date on April 8.
Although the provision of antivirus signatures will help to identify any malware that may attack XP systems, they will still be vulnerable to zero-day attacks. And Microsoft will not issue security patches unless customers sign up for a subscription-style payment scheme.
Stannard said an old operating system without recent security patches will be susceptible to new viruses. "Some reports have claimed that hackers are lying in wait until support ends to create a 'zero-day hack bonanza'; that is, a hack where a vulnerability is found and an attack is made on the same day.
"As there will be no security updates following these attacks, they will run free on the XP OS, stealing, losing and warping data," he warned.
Lack of third party support
Microsoft has not only warned of the security risks of not migrating off of XP, but reports have also suggested that there will also be a lack of independent software vendor (ISV) and hardware manufacturers' support.
"The demise of XP support also means the loss of a dedicated tech support line, so if anything happens, there won’t be anyone at the end of the phone to help," Stannard added. "Choosing to keep XP is choosing to go it alone."
Even Christopher Graham, the Information Commissioner, has spoken about his concerns for retailers choosing to stay with XP. He stated that any retailer who falls foul of the PCI DSS or fails to provide “equivalent protection when processing customers' credit card details" could be eligible to fines for not adhering to The Data Protection Act and the lack of their PCI compliance.
Stannard said Graham has a point. "Not staying up-to-date with the latest security improvements will mean that XP users could fail one of the key PCI DSS requirements," he said. One such requirement, PCI DSS Directive 6.1, requires that '...all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release'.
"Not complying with PCI DSS could be very serious for any retailer," he explained. "Not only will they lose their PCI compliance come validity assessment time, they will also be subject to fines ranging from £4,000 to £400,000.
"There could also be other knock-on effects, like losing their merchant account and being blacklisted by Visa and Mastercard, severely limiting trading options for years to come."
Making the change
With all these concerns, it is clear that retailers must make some difficult decisions in the next few months. If they choose to migrate to a newer Windows OS, they have less than four months to roll out changes across all of their stores, upgrade older hardware and implement staff training. Stannard said: "Windows POSReady 7 and Windows Industry Pro 8.1 from Windows Embedded offer some significant advances for those ready to make the move from the XP Pro generation."
A full migration from XP may not be immediately possible for many retailers; they may not have the time, budget or staff availability to invest in such a scheme. "For these businesses, there is another solution: Windows Embedded XP in the form of POSReady 2009 (with XP Pro Service Pack 3), with the added security of McAfee whitelisting technologies," Stannard declared.
"McAfee Embedded OEM software uses whitelisting, which is the opposite of blacklisting technology used in many antivirus products, therefore providing complete protection from unwanted applications and code."
He even went so far as to add: "Choosing POSReady 2009 will extend the life of the XP Pro SP3 code until 2024, with support for the embedded components until 2019. Add McAfee Application Control into the mix and you have a truly hardened, secure retail system.
"Move on, or stay – either way there are game-changing technology options available," he concluded.
Arrow OCS has created a guide to improve Windows XP’s lifecycle management and the benefits to retail here