Clients      Employees

Why Windows XP Is Putting POS Systems at Risk


In our previous post, we discussed the pending deadline for switching to Europay, MasterCard and Visa (EMV) payment cards. Although switching to EMV cards is voluntary, merchants who process fraudulent purchases with non-EMV card readers after October 1, 2015, will be liable. The cards themselves will provide additional security at the point of sale (POS), but organizations will need to update their POS systems to minimize the risk of fraud.


In the midst of all of these changes, the 2015 Mid-year Point-of-Sale (POS) Security Health Assessment from Bit9 + Carbon Black revealed that more than half of organizations are using POS systems with unsupported Windows XP operating systems. 94 percent of organizations use antivirus software, but 26 percent believe antivirus is not enough. Also, one in four companies that increased their security budgets continued to invest in antivirus protection. While antivirus is an essential part of security, these statistics indicate an overreliance on tools that are incapable of detecting or stopping advanced threats.


Most Windows XP embedded operating systems, including some used on POS devices and ATMs, are still being supported until early next year, but that shouldn’t give merchants peace of mind. POS systems generally are weakly supported by IT. Most are using outdated platforms that are rarely if ever patched and maintained. Many use default configurations and passwords, making them easy targets for hackers. In addition to inadequate defenses, POS malware attacks continue to increase in number because POS systems provide a gateway to a number of systems within the corporate network.


New forms of malware have been designed specifically to attack popular POS systems, scrape credit card data, steal passwords, and upload data to remote servers. Some of these threats are capable of downloading updates on their own to add features and eliminate bugs. Although Windows XP users are easy targets, newer versions of Windows are also at risk, and hackers are always looking for new ways to infect POS systems.


Just as hackers understand the opportunity created by outdated POS systems, merchants need to understand the risks, be more proactive and follow security best practices. Around-the-clock network monitoring enables organizations to track network activity in real time, monitor remote access software and detect suspicious behavior. Two-factor user authentication, as well as updated firewalls and antivirus software, will help to prevent unauthorized access to the POS. Of course, all systems must be regularly patched and maintained in order to be effective.


Organizations that continue to use Windows XP on their POS systems are knowingly increasing the risk of a security breach. In the very near future, all XP support will be cut off. Those who don’t start planning now will be left scrambling for an effective replacement. This is bad for business and bad for your customers. Let ICG evaluate the state of your POS systems and implement the updates you need to keep criminals at bay and protect your data.