I have been informed that any POS system that is processing credit cards and is using the Win XP OS on BOH computers AND FOH POS computers will be in violation of PCI DSS compliance rules as of April 2014. This effects a huge # of POS systems and my clients are not hearing anything from the credit card processors regarding this issue (or the POS companies as well). I'm wondering just how end-users are going to respond to the fact that their POS system(s) will be Non-PCI compliant in 7 months. Is this something our clients should be concerned about? Are POS end-users really going to replace all their POS stations? Can end-users downgrade their XP OS to POS Ready 2009 as that OS expires in 2019 or beyond?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
XP Expires in April 2014 & PCI DSS concerns
- Thread starter TobeThor
- Start date
POS Ready likely won't run full fledged POS systems.
We've begun rolling out the upgrades already; we are upgrading only their servers though given that their workstations are using Windows CE; though the Workstation 4's, one of the older Micros workstation out right now will no longer be compliant in 2016, so those will have to be upgraded to at least WS4LX before then.
We've begun rolling out the upgrades already; we are upgrading only their servers though given that their workstations are using Windows CE; though the Workstation 4's, one of the older Micros workstation out right now will no longer be compliant in 2016, so those will have to be upgraded to at least WS4LX before then.
Yep, we have 4 restaurants with XP Eclipse workstations, 56 in total, and they all have to be replaced. Trying to decide on LX or refurb WS5a replacements. Most have 2003 Server BOH, but that goes out the window mid-2015 so we'll be rolling out 2008/Res5 upgrades all next year. Should be fun /sarc
- Thread starter
- #6
You can dramatically delay this inevitability...
I believe you may maintain usage of an unsupported OS under circumstances where compensating controls are applied to mitigate the vulnerabilities exposed by an unsupported OS.
-Regular reviews for known exploits
-Anti-Virus updated
-Strict firewall rules (no direct inbound exposure to the internet)
-Properly configured application white-listing
-Unsupported OS is isolated to a subnet which no other supported systems can see
Link
This link helps explain what I am talking about...
It's the easy way out for your QSA to just tell you "Yuu need to upgrade", and if you only have 1-3 restaurants it may very well be the easy way out to upgrade. But I am in the same position you are indicating, hundreds and hundreds of locations...
Good luck, I am no expert but wanted to share some insight.
I believe you may maintain usage of an unsupported OS under circumstances where compensating controls are applied to mitigate the vulnerabilities exposed by an unsupported OS.
-Regular reviews for known exploits
-Anti-Virus updated
-Strict firewall rules (no direct inbound exposure to the internet)
-Properly configured application white-listing
-Unsupported OS is isolated to a subnet which no other supported systems can see
Link
This link helps explain what I am talking about...
It's the easy way out for your QSA to just tell you "Yuu need to upgrade", and if you only have 1-3 restaurants it may very well be the easy way out to upgrade. But I am in the same position you are indicating, hundreds and hundreds of locations...
Good luck, I am no expert but wanted to share some insight.
Also,
Here is the link without all the garbage in it...
Here is the link without all the garbage in it...
- Thread starter
- #10
I understand it's very important to keep your guard up and risk assessment. However, when you consider that the FBI can still knock on your door re: cc fraud and that in the end (the breach) may have nothing to do with your POS system but the resulting forensic audit will nonetheless lead to severe financial stress; it really can influence your decision process re: hardware/software upgrades for PCI concerns.
Some CC merchants will decide to roll the dice, that's very different than advising them to roll em.
Some CC merchants will decide to roll the dice, that's very different than advising them to roll em.
I't about all the information on the table and letting folks decide what works for them. This does not create a non-compliant environment. It's an approach that can buy you more time and should not be considered a long term solution. The whole point is staying compliant AND managing costs/capabilities.
PCI is extremely important but at times the opinions that are driving business decisions and costs are quite nutty. No need to troll.
PCI is extremely important but at times the opinions that are driving business decisions and costs are quite nutty. No need to troll.
First, I hope that trolling comment wasn't regarding my post.
I agree that people have to decide their acceptable risk level for themselves. The only problem is that most mom & pop type restaurant owners aren't technical or legal people, this stuff is confusing, and they need someplace to turn for solid advice. I asked the company we have contracted for our quarterly PCI scans about the locations we have with XP workstations and they have to be replaced. Sure, there are measures you can take to limit your vulnerability, but the fact remains that if you're unlucky enough to get breached the equipment running unsupported OS versions are not compliant. The McAfee link is helpful for cutting down the chance of a breach on XP servers, but it's a moot point unless you run McAfee on all of the expired workstations and configure a whitelist for each. The system is only as secure as the weakest link. I don't like or agree with that when the workstations have no access to the outside world, but it is what it is.
I agree that people have to decide their acceptable risk level for themselves. The only problem is that most mom & pop type restaurant owners aren't technical or legal people, this stuff is confusing, and they need someplace to turn for solid advice. I asked the company we have contracted for our quarterly PCI scans about the locations we have with XP workstations and they have to be replaced. Sure, there are measures you can take to limit your vulnerability, but the fact remains that if you're unlucky enough to get breached the equipment running unsupported OS versions are not compliant. The McAfee link is helpful for cutting down the chance of a breach on XP servers, but it's a moot point unless you run McAfee on all of the expired workstations and configure a whitelist for each. The system is only as secure as the weakest link. I don't like or agree with that when the workstations have no access to the outside world, but it is what it is.
- Thread starter
- #15
So back to the original ? LOL
Can end-users downgrade their XP OS to POS Ready 2009? Is it possible with the current COA on the XP box OR must end-users purchase (upgrade) to POS Ready 2009?
Will any pc currently running the XP OS run POS Ready 2009 w/o issue?
Can end-users downgrade their XP OS to POS Ready 2009? Is it possible with the current COA on the XP box OR must end-users purchase (upgrade) to POS Ready 2009?
Will any pc currently running the XP OS run POS Ready 2009 w/o issue?
While Microsoft is almost assuradly NOT going to provide a route from XP to POS Ready 2009 for free, meaning you still have to purchase the Operating System, Microsoft does have this to say:
Will POSReady 2009 run all my applications?
Windows Embedded POSReady 2009 is built on the Windows XP Professional base. Applications that are compatible with Windows XP Professional should run on POSReady. As always, you must thoroughly validate your applications to guarantee that they behave as expected before you deploy them to production. You must also review applicable licensing agreements to make sure you can use the application on POSReady. For example, applications such as Microsoft Office are restricted, thereby preventing the user from using the application on POSReady.
And yeah.. I see its life ends in 2019, which is odd given that server 2003 dies in 2015; they are using the same kernel, are they not?
Will POSReady 2009 run all my applications?
Windows Embedded POSReady 2009 is built on the Windows XP Professional base. Applications that are compatible with Windows XP Professional should run on POSReady. As always, you must thoroughly validate your applications to guarantee that they behave as expected before you deploy them to production. You must also review applicable licensing agreements to make sure you can use the application on POSReady. For example, applications such as Microsoft Office are restricted, thereby preventing the user from using the application on POSReady.
And yeah.. I see its life ends in 2019, which is odd given that server 2003 dies in 2015; they are using the same kernel, are they not?
The longer support is probably due to the limited use of POSReady compared to 2003 rather than the kernal. There's no real development for POSReady, so continuing support isn't holding anything back. By pushing everyone forward to Win7/8 and 2008, Microsoft can keep moving forward instead of dumping support & development resources into dinosaur products.
- Status
Similar threads
- Locked
- Question