CONTINUE TO SITE »
or wait 15 seconds

Article

XP in the crosshairs: ATM protection in a post-support world

Webinar homes in on the benefits of one option for operators who aim to secure their XP-driven ATMs by April 8.

March 5, 2014 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

Can Microsoft Windows XP-driven ATMs be compatible with risk requirements and be used within a PCI DSS environment after April 8, 2014?

Yes.

So if I don't upgrade my XP-driven ATMs to Windows 7 by April 8, 2014, they can still be compatible with PCI DSS, even if they're not covered by a Microsoft Customer Support Agreement?

Yes.

To be perfectly clear, you're saying that my multi-vendor fleet of major brand-name ATMs running on Windows XP can be operated just as securely on April 9, 2014, as it is today, even if I'm not getting Microsoft patches?

Yes. 

But can I prove that my fleet is PCI DSS compatible? Is there some kind of certification that PCI SSC will accept as a compensating control — just like they would a Microsoft CSA?

Yes.

 

It's not a word-for-word transcription, but it's pretty much the gist of the Q&A session from this Tuesday's webinar hosted by ATM Marketplace and presented by Wincor Nixdorf.

Anxious about the end of support for Microsoft Windows XP a month from now, participants wanted to know if Wincor's PC/E Terminal Security solution might be a bona fides option for them to maintain a PCI-compliant fleet.

3-4 wincor webinar info
Download now

Testing by independent German firm Security Research & Consulting has verified that it is and Wincor has certified the software as a "compensating control," which means that the PCI Security Standards Council will accept it as a substitute for ongoing Windows XP security downloads from Microsoft.

At this point, such options are becoming critically important. The Microsoft deadline will pass with the majority of the world's ATMs still running XP — and running it without the coverage provided by an individually purchased (and for most, prohibitively expensive) Microsoft customer support agreement.

During Tuesday's free, one-hour event, Terrence Devereux, a senior trusted advisor at Wincor Nixdorf, said that any deployer who was just now beginning the planning process for a Windows 7 upgrade was about a year late coming to the party.

"Now the option at the moment — and there really is only one option if you haven't even started that project or are not in the middle of that project, is really to buy yourself time and stay on XP," Devereux said. 

Within this option, a deployer has a couple of choices, Devereux said. One, of course, is the previously mentioned Microsoft CSA. And, said Devereux, some deployers will no doubt take this option.

Another is to implement a less costly and longer-term solution such as PC/E Terminal Security — a solution that obviates the need for Microsoft patches by providing equally (or more) effective coverage for XP security flaws.

This solution can be just as acceptable as a Microsoft CSA as far as the PCI SSC and bank regulators are concerned, Devereux said. "I'm going to use the words of the Federal Financial Institutions Examination Council, here. You just have to 'mitigate the risk.'"

Wincor believed that its existing terminal security software could do just that. And to make sure that, "what was on the box was in the box," Devereux said, the company turned to SRC.

Randolf Skerka, division manager for network security and security management systems at SRC, explained the consultancy's role in determining PCI compensating control eligibility, and also described the exhaustive testing (and test setup) behind SRC's verification of PC/E Terminal Security for compensating control status.

PCI has outlined several prerequisites for compensating controls, Skerka said. The candidate system must demonstrate that:

  • the risks at the core of the requirements are mitigated via alternative means;
  • the implemented compensating control meets the requirements in full; and
  • a risk analysis has been performed and evaluated.

Skerka said that the objective of SRC testing was to answer the question, "Is the system (self-service PC) immune from known Windows XP threats/exploits via network, malware and unauthorized devices such as USB sticks, keyboards, and so on?"

"And so ... we could verify that," Skerka said. "And we can say, 'Yes, if the system is set up like it is defined in the compensating control we are able to run an ATM with Windows XP with the solution provided by Wincor and we are fine with PCI DSS — meaning that we can stay compliant."

Skerka said that annual testing will ensure ongoing certification of the software as a compensating control. And Devereux said that Wincor itself will purchase the Microsoft CSA and test its own solution against future Microsoft security updates to ensure they are fully covered by PC/E Terminal Security. 

And should a deployer using the Wincor solution upgrade to Windows 7, the return on the security investment is still there. In fact, Devereux said, as long as Microsoft continues to release new versions of its operating software, Wincor will continue to incorporate that version into its security software. 

The one question Devereux and Serke could not answer in the webinar — and, realistically, no webinar on the topic can — was how much less Wincor's solution might cost compared with the pricetag of a Microsoft Customer Service Agreement. 

"That depends," Devereux said post-webinar. There are simply too many pricing variables to a Microsoft CSA to offer a one-size-fits-all number, he said. Among the factors are the number of ATMs to be covered and the number of years coverage will be required.

What is certain is that the cost of a CSA will run into the the millions, and that the cost will double from year one to year two. And without question, the cost of doing nothing might run even higher.

Download the free webinar, "Life beyond Microsoft's April 8 XP support deadline."

photo: micah jayne


About Suzanne Cluckey

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf

Software
Top 10 ATM software solutions
Software
Examining the past, present and future of XFS
Commentary
ATM features: 5 to include
Special Report
2024/25 ATM & Self-Service Software Trends
Presented by KAL ATM Software GmbH
Recent Posts
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push
Chase selects Nova Credit for cash flow underwriting
Metropolitan Commercial Bank named as an SBA loan provider


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'