This document examines the impending end of support for Windows XP and the risks this poses, particularly for payment devices that will no longer be PCI compliant. It notes that many businesses have failed to address the issue and migrate from XP, despite the security risks it will leave them exposed to. Embedded software alternatives that can replace XP are described, but many businesses remain unaware of these options. The author argues that failing to address the XP issue will put businesses at risk of financial penalties or losing the ability to process payments.
1. Embedding success in your business www.avnet-embedded.eu
Introduction
It is surely not too much to hope that the attitude
of businesses to imminent and game-changing
technology upheaval is one of thoroughness,
timeliness and responsibility.
This is all the more critical when an entire value chain
is completely dependent upon the technology in question
– vendors, distributors, integrators, OEMs, resellers,
end-user organisations, all the way down to the individual
withdrawing cash from an ATM in the street.
It is all the more critical when failure to migrate to a new
technology means spiralling vulnerabilities and gaping
holes in security that will no longer be fixed.
It is all the more critical when the technology in question
will no longer comply with industry regulations that govern
the safe electronic movement of billions of dollars every
day, effectively rendering every credit and debit card
transaction hazardous.
In short, when we’re talking about something as significant
as “end of life” – the withdrawal of support that heralds
the definitive demise of a particular software, operating
system or other technology - businesses have a duty to
move to migrate to an alternative, and vendors have a duty
to provide that alternative.
But with the imminent demise of XP, this model has,
arguably, dissolved. This piece examines the realities,
risks, options and alternatives for a world and an economy
that are soon to be XP-free (at least in the current sense) –
and explores why many businesses and commentators are
apparently in denial over this successful operating system’s
impending swansong.
Nick Donaldson, Director, Avnet Embedded nick.donaldson@avnet-embedded.eu
The nature and impact of XP’s demise
The exit of Microsoft XP does not follow the “rules”. It is not
a necessary transition from an obsolete operating system
to a better one, as with the move, say, from NT to 2000.
Neither is it an improvement from one form of an operating
system to an enhanced variant.
In fact, the death of Microsoft XP represents a complete
disconnect from established practice - and this is perhaps
why many businesses (fed, it has to be said, by unhelpful
misinformation from vendors and their partners) are either
failing or refusing to grasp the impact thereof.
As one consultancy firm put it in London’s Daily Telegraph,
“In these tough economic times, it is not surprising that
business leaders do not want to invest a substantial
amount of money in something that essentially isn’t
broken, as is the case with Windows XP today.” Donning
the blinkers, focusing on the accounts and pretending the
problem will go away thus appears to be the preferred
action plan of many of our so-called “business leaders’”.
If more proof were needed, here it is. A recent industry
survey, cited in the The Register, shows that 40 per cent
of respondents said their companies had “yet to even start
migrating off XP”, and 20 per cent of respondents were not
planning to do so at all.
So, in an attempt to rouse these businesses from the
comfort zone, let’s take just one (terrifying) example to
clarify what an appalling false economy their current
approach could prove to be – that of payment devices.
“This piece examines the realities, risks, options and alternatives
for a world and an economy that are soon to be XP free”
“Panic? What Panic?”
Is the industry in denial over the death of XP?
2. Huge numbers of these devices and their applications
currently run on XP - POS tills, chip and PIN terminals,
parking payment machines, motorway toll barriers,
ATMs – the list is unrelenting. From April 2014, XP
support for all these devices will cease. The resulting lack
of updates and patches will mean that those millions of
devices are no longer compliant with PCI (Payment Card
Industry) regulations.
This puts at risk everybody who is in any way involved with
the creation and use of payment devices. It affects the
businesses that supply the hardware and software on which
the devices are built. It affects the businesses that build
the devices. It affects the businesses that distribute them.
It affects the businesses that use them, and, of course, it
affects the individual end-users whose hard-earned cash
is suddenly a target for hackers looking for outmoded
security and easy pickings.
Security experts have already predicted a rash of these
attacks come April; as Gregg Keizer of Computerworld
recently reported, “Hackers could find themselves in the
catbird seat on April 8, 2014... those who have zero-day
exploits for XP will bank them until that day and then sell
them to crooks or loose them themselves...”
PCI enforcers, on the other hand, can fine businesses up to
£400,000 for being non-compliant, and sellers (merchants)
using the devices run the risk of losing their merchant
account and being placed on Visa/MasterCard Terminated
Merchant File (TMF) - making them unable to take credit or
debit payments for several years, if ever.
Any machine or device running the operating system, from
your home PC to a corporate or banking network, will
rapidly become increasingly vulnerable once support is
withdrawn – but, of course, payment devices, given their
lucrative function, will be the most urgently deficient.
So where now?
Confronted with such a potentially apocalyptic scenario,
let’s suppose for a moment that the businesses in the value
chain that produces and distributes payment devices asked
themselves “So what are the alternatives”? And this is
where wholesale confusion reigns.
Many seem to think that help will still be readily available
for PCI compliance after withdrawal. And indeed, according
to law firm Pinsent Masons, quoted in The Register,
businesses that continue to use Windows XP after 8
April 2014 will be able to engage with Microsoft or a
licensed sourcing provider if they want to manage new or
existing vulnerabilities and continue to comply with PCI
requirements. But the implication is clear – these services
do not come for free.
Some see moving to Windows 7 or 8 as an option. Indeed, it
is, but as I said earlier, the withdrawal of XP is no ordinary
migration exercise, and nowhere is this clearer than in the
lack of seamlessness between XP and Windows 7 and 8.
Firstly, 7 and 8 do not support all of the devices that XP
supports. Secondly, and rather more seriously, 7 and 8
will not necessarily be PCI-compliant on those particular
devices even if they do support them. False hope aplenty.
Making the switch over to a newer Windows operating
system will also have other implications for a company’s
infrastructure, and there could be complications in getting
all the devices across a business to run on the same
platform, particularly in larger businesses where multiple
servers and point of sale devices are deployed. Whichever
way you slice it, budget looms large in the process.
“Hackers could find themselves in the catbird seat on
April 8, 2014... those who have zero-day exploits for XP
will bank them until that day and then sell them to crooks
or loose them themselves...”
3. Embedded misunderstanding
Most damaging of all, however, is the lack of understanding
around the options for using embedded software instead
of standard XP. Many businesses in this space still think,
for example, that embedded software requires a hardware
refresh. Not so. Embedded offerings also include XP-based
operating systems, such as POSReady 2009 and WES 2009,
which can be delivered via a software services model, with
no hardware implications.
Embedded licensing also allows for a longer lifespan of
devices, with some embedded products being available or
supported for up to 15 years (thus avoiding exactly the kind
of disruptive support withdrawal situation that businesses
are currently having to deal with!)
The benefits of embedded aren’t just limited to prolonging
support life, however; there is also much greater licence
discounting, higher levels of efficiency, locked-down
functionality and full customisation support, enabling easy
integration into a business environment. And there is no
shortage of choice for XP users – the embedded variants of
XP are abundant.
Embedded is not, by any means, the only choice, and no
choice can ever be perfect in every respect, but there
is far more to recommend embedded technology as a
replacement for the outgoing XP than the industry
currently realises.
Facing up to XP’s passing
So how is it that the virtues of embedded just have not
been properly grasped? Here, I hold my hands up. This
industry (and this company) could have done a much
better job of demystifying the embedded software value
proposition to the payment device value chain. The level of
misunderstanding in the marketplace proves it. So let’s not
blame it all on the customer.
But at the same time, I question the competence
of business “leaders” who would sleepwalk their
organisations (and those who interact with their products)
into huge financial risk, rather than address a technical
issue that requires some out-of-the-box thinking.
Yes, the demise of XP is disruptive. Yes, XP has been
effectively killed off by Microsoft in an act of unnecessary
and premature euthanasia. Yes, this means that it doesn’t
fit the mould of technology change that businesses are
used to coping with. And yes, I can understand why, a year
ago, businesses may not have wanted to deal with
it immediately.
But in the final analysis, we now have only six months
to go before a lot of businesses start haemorrhaging
their customers’ money to hackers, and their own to the
authorities that will surely prosecute them. Yet still the
minor leap to an XP-like alternative – a POSReady 2009, or
a WES 2009, as compared to the relatively major upheaval
required in deploying Windows 7 or 8 – seems to be a
bridge too far for many of the businesses handling your and
my money on a daily basis.
Technology denial? I call it business suicide.
“ Yes, the demise of XP is disruptive. Yes, XP has
been effectively killed off by Microsoft in an act
of unnecessary and premature euthanasia”
For more information
Please visit our website www.avnet-embedded.eu, email uk@avnet-embedded.eu or call +44 (0)1628 518 900