Joint Official Statement on Windows XP within ATMs by ATMIA and PCI Security Standards Council

The ATM Industry Association and The PCI Security Standards Council have issued the following joint official statement in regard to the end-of-support by Microsoft for Windows XP operating systems for ATMs in April 2014.

“One question on the industry’s lips,” explained ATMIA CEO, Mike Lee, “is: will ATMs still running on XP operating systems after end-of-support be non-compliant with the PCI DSS?”

The PCI Data Security Standard (PCI DSS) version 3.0, effective January 1^st 2014, provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. It applies to any organization that stores, transmits or processes cardholder data. Within PCI DSS requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. 

“Where operating systems are no longer supported by the vendor, OEM or developer,” commented Troy Leach, Chief Technology Officer for the PCI Security Standards Council, “security patches might not be available to protect the systems when new exploits are discovered.  The PCI DSS Requirements 6.1 and 6.2 would not be able to be met without the use of compensating controls at a minimum to address the risks introduced.”

However, it may be possible to implement compensating controls to address risks posed by using unsupported operating systems in order to meet the intent of the requirements. To be effective, the compensating controls must protect the system from vulnerabilities that may lead to exploit of the unsupported code.

According to the PCI Council’s website, examples of controls that may be combined to contribute to an overall compensating control include active monitoring of system logs and network traffic, properly-configured application whitelisting that only permits authenticated system files to execute, and isolating the unsupported systems from other systems and networks.  Note that these examples may complement an overall compensating control, but these examples alone would not provide sufficient mitigation. Additionally, if an unsupported operating system is Internet-facing, it will be detected and reported as an automatic failure by an ASV scan. Detection of unsupported operating systems in an ASV scan will need to be addressed according to Addressing Vulnerabilities with Compensating Controls section of the ASV Program Guide. For assistance with compensating controls, and for questions about whether a specific implementation meets PCI DSS requirements, organizations should contact a Qualified Security Assessor.

“It is important to remember,” added Leach, “compensating controls should only be considered a temporary solution,   Organizations should have a migration plan to upgrade in a reasonable amount of time to a supported operating system as the OS serves as the foundation for services and other security controls related to protecting cardholder data.”

For further information on this topic see the following FAQ and infographic: https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Unsupported-OS

About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.

Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security-standards-council

Join the conversation on Twitter: http://twitter.com/#!/PCISSC

About ATMIA
The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 4000 members in 60 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.

An independent, non-profit trade association, our mission is: to promote ATM convenience, growth and usage worldwide; to protect the ATM industry's assets, interests, good name and public trust; and to provide education, best practices, political voice and networking opportunities for member organizations.

ATMIA has chapters around the world in the United States, Canada, Europe, Latin America, Asia-Pacific, Asia, Africa and the Middle East. Learn more about ATMIA at www.atmia.com