CONTINUE TO SITE »
or wait 15 seconds

Article

PCI SSC and ATMIA issue joint statement on the end of XP

With time running out for Windows XP support, industry organizations offer information and resources.

March 12, 2014

The ATM Industry Association and the PCI Security Standards Council have issued a joint official statement and news release regarding the end of support by Microsoft for its Windows XP operating system on April 8. Following is their statement and links to resources for deployers who will not be running Windows 7 by that date. 

"One question on the industry's lips is 'Will ATMs still running on XP operating systems after end-of-support be non-compliant with the PCI DSS?'," said ATMIA CEO Mike Lee.

The PCI Data Security Standard Version 3.0, effective Jan. 1, provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.

It applies to any organization that stores, transmits or processes cardholder data. PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. 

"Where operating systems are no longer supported by the vendor, OEM or developer, security patches might not be available to protect the systems when new exploits are discovered," said Troy Leach, CTO of the PCI SSC. "The PCI DSS Requirements 6.1 and 6.2 would not be able to be met without the use of compensating controls, at a minimum, to address the risks introduced."

compensating controls pci quoteIt might be possible to implement compensating controls to address risks posed by unsupported operating systems and meet the intent of the requirements. To be effective, the compensating controls must protect the system from vulnerabilities that might lead to exploitation of unsupported code.

According to the PCI Council website, individual controls may be combined to contribute to an overall compensating control. Some examples include:

  • active monitoring of system logs and network traffic;
  • properly configured application whitelisting that only permits authenticated system files to execute; and
  • isolating the unsupported systems from other systems and networks. 

Note that these examples might complement an overall compensating control, but alone would not provide sufficient mitigation.

Additionally, if an unsupported operating system is Internet-facing, it will be detected and reported as an automatic failure in a scan by an approved scanning vendor.

Detection of unsupported operating systems in an ASV scan will need to be addressed according to "Addressing Vulnerabilities with Compensating Controls" section of the ASV Program Guide.

For assistance with compensating controls, and for answers to questions about whether a specific implementation meets PCI DSS requirements, organizations should contact a qualified security assessor.

"It is important to remember [that] compensating controls should only be considered a temporary solution," Leach said. "Organizations should have a migration plan to upgrade in a reasonable amount of time to a supported operating system, as the OS serves as the foundation for services and other security controls related to protecting cardholder data."

For further information on this and other PCI-related topics see the FAQs section of the PCI website. The council has also posted an infographic that provides information specic to Windows XP end of support.

 

The PCI Security Standards Council is an open global forum that is responsible for the development, management, awareness of and education about the PCI Data Security Standard and other standards that increase payment data security.

The ATM Industry Association is a global nonprofit founded in 1997 to promote industry growth and the convenience and use of ATMs; to protect industry assets, interests, reputation, and public trust; and to provide education, best practices, a political voice and networking opportunities for member organizations.

photo: open democracy

Included In This Story

ATM Industry Association (ATMIA)

The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
Replacing the ATM: Pros and cons of new vs. remanufactured
First National Bank to open 30 branches
Romanian man arrested for alleged cash trapping ATM scheme
U.S. Bank resumes crypto custody services


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'