Retail IT experts warn on XP deadline
By Retail Technology | Tuesday April 8 2014
After years of warning Microsoft has today discontinued support for Windows XP and Office 2003. RetailTechnology.co.uk explores the impact on retailers
Today, 8 April 2014, marks the end of support for two venerable Microsoft products: Windows XP, including XP Embedded, and Office 2003.
With some estimates putting the numbers of retailers in the UK still running the operating system (OS) at 20%, retail IT experts agree action is paramount.
Retailers that run the risk of leaving Windows XP unsupported will expose their data and IT systems to a growing risk as the number and severity of security exploits grow, while continued support from Microsoft will be costly.
Those IT systems most at risk are those handling sensitive personal information mandated by law to be protected, under the Data Protection Act, and kept up to date with security patches for those processing card payment data, as part of Payment Card Industry Data Security Standards (PCI DSS) Directive 6.1.
Creating a modern IT platform
James Rodger, managing director of specialist technology systems and services provider Retail IT, told RetailTechnology.co.uk that, while some retailers believe Microsoft should maintain support indefinitely, none can really afford to ignore its decision.
“Most of our clients made the migration away from XP as part of a natural progression at least 24 months ago or longer, with Windows 7 as their OS of choice,” he said. “They tend to split into two groups: the larger retailers, who may still have some machines running XP; and smaller independent retailers who are perhaps under less pressure to upgrade.”
Where systems running XP or XP Embedded are not networked or connected to the internet, Rodger said the risk of a security breach exploiting their lack of vendor support was less great.
“I would say that retailers running integrated card processing systems need to upgrade,” he added. “Newer OSes are also better placed to exploit the latest technologies and take advantage of new hardware, like touch interfaces.”
Update inertia risks data security
Chris Strand, senior director of compliance for endpoint and server threat protection provider Bit9, commented that large retailers with distributed systems that are not powerful enough to run Windows 7 or Windows 8 and their point-of-sale (PoS) equivalents face an infrastructure nightmare with hardware and legacy application upgrades needed to support new OSes.
“End-of-life also means potentially losing use of major credit cards and access to business critical data, financial penalties for non-compliance plus damage to your corporate brand as a result of data breaches and compliance failures,” he said.
“Positive Security or application lockdown answers the ‘end-of-life’ challenge – taking known or ‘good’ functions on endpoints such as PoS, ATMs and kiosks, adding rules to increase what’s known and allowed, while shutting out applications that aren’t trusted,” Strand added.
He also suggested retailers can also harden ‘out-of-date’ systems like XP – by removing software features and disabling unnecessary services, for example – preventing zero-day exploits and targeted attacks.
Measured response to threats
But TK Keanini, chief technology officer at network visibility and security intelligence firm Lancope, urged retailers not to panic. “Only a few variants of the XP operating system will be end-of-support,” he wrote this week in blog.
Windows Embedded for Point of Service SP3, used in PoS devices and built from Windows XP Embedded, will see it extended support end on 12 April 2016. And Windows Embedded POSReady 2009, which reflected updates available in Windows Embedded Standard 2009, will reach its end of support on 9 April 2019.
“When it comes to embedded systems (non-desktop versions of XP), the only one that people need to take urgent action on is Windows XP Professional for Embedded Systems,” continued Keanini.
“This product is identical to Windows XP and Extended Support will end on 8 April 2014. If you have an XP variant for which support is ending, you need to treat it as if it were already dead and move quickly into getting it replaced. Pretend that it caught fire, and you will be moving with the right amount of urgency.”
Weighing up the options
In a recent RetailTechnology.co.uk article about the XP deadline, James Stannard, software brand manager at IT supplier and distributor Arrow OCS, suggested that choosing POSReady 2009 could extend the life of the XP Pro SP3 code until 2024, with support for the embedded components until 2019.
“Add McAfee Application Control into the mix and you have a truly hardened, secure retail system,” he suggested.
Whatever course of action those retail XP laggards take, Stannard also updated his advice, adding: “It’s too late for strategic planning, now is the time for action.”
