Windows 7 End of Support – How it affects your PCI compliance, risk and security.

Microsoft is ending support for its Windows 7 embedded products in January 2020. Over the course of its active and extended maintenance periods, more than 989 security patches were released for this product. Soon, Microsoft will release its last Windows 7 patch.

Will you be prepared?

Without security patches, Windows 7 or, for that matter, any software component, will become critically vulnerable. One of the primary principals of operational management is identification—analysis and mitigation of potential risk to business operations. Being able to mitigate potential risk is an elementary necessity.

Continuous use of an unpatched Windows 7 offers criminals and hackers the time needed to perfect their malware in order to penetrate the operating system. Knowing that Microsoft will not be delivering a patch or security update to close so-called Zero-Day vulnerability is like receiving an open invitation to attack. But it is not just the risk of a potential attack; the liability for attacks will also shift to the owners of the devices—that is, the financial institutions and retailers that decided not to comply to industry (and more importantly) security risk requirements.

Why is liability shifting?

The Payment Card Industry (PCI) has created and maintain a set of security standards that applies to any organization, irrelevant of size, which accepts, stores, processes and transmits cardholder data. Financial institutions and retailers typically fall into these categories, and thus, need to ensure they comply with the PCI security standards.

At first glance, it may not be clear what the end of Windows 7 support has to do with cardholder data. However, one of the compliance requirements, PCI DSS 6.2, requires that “all system components and software must be protected from known vulnerabilities by installing applicable vendor-supplied security patches within one month of release.

If an Operating System is no longer supported by the vendor, and security patches are not being released, PCI requirement 6.2 cannot be achieved unless potential risk of doing so is mitigated.

How can you stay compliant?

Upgrade to the newest supported Operating System, Microsoft Windows 10. Migrating to this new Operating System and upgrading your software stack will ensure improved security, speed and an opportunity to improve and modernize the consumer experience. Your fleet size, delivery methods, and resource scheduling can all impact the timeline for testing, validation and go live. So with less than 12 months to go, it’s best to start your planning now.

What if you can’t make the deadline?

By looking at your fleet holistically from a security standpoint, we can help evaluate your network readiness and ability to support Windows 10.  If we determine a stop-gap measure is necessary to keep your fleet secure and compliant until you’re able to fully implement W10, we advise the deployment of our Vynamic™ Security suite.

The industry-leading Vynamic Security suite recently went through a series of extensive independent tests and audits on unpatched Windows 7 and 10 Operating System. These tests confirmed that a device running Vynamic Security is resistant against attacks performed locally and via the network. This means that attempts to hack the terminal were unsuccessful and the independent auditors were unable to:

  • Access any network services and therefore apply an exploit;
  • Exploit known local Windows 7/10 vulnerabilities (local attacks);
  • Run malicious software on the device;
  • Attach an unauthorized USB device (e.g. USB Storage Media, USB HI Device).

Additionally, these tests proved that Vynamic Security qualifies as a “compensating controls” solution under PCI DSS Standards. As defined by the PCI SSC, compensating controls must satisfy the following criteria:

  1. Meet the intent and rigor of the original PCI DSS requirement and
  2. Go “above and beyond” other PCI DSS requirements.

Vynamic Security is PCI DSS audit tested and approved. With this verification, we are able to provide an approved, temporary security stop-gap measure for customers not able to make the deadline of January 2020: up to three years under the current PCI DSS standard (3.2.n); or one year following a new version (i.e. v4.0).

Although our first recommendation is to migrate your fleet entirely to Windows 10—so your network is not only compliant but also provides improved and modernized consumer experiences— security is our primary focus. Therefore, as you begin planning for the migration, and find that you need some extra time, we can partner with you collaboratively to figure out how Vynamic Security can help and be the best way to reduce your risk and liability, and ease your burden as you undertake the challenge of full fleet migration.

Reach out to us with your Windows 10 migration questions today!