Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Thousands of companies at risk of breaking compliance rules warns, MWR InfoSecurity

Thousands of companies at risk of breaking compliance rules warns, MWR InfoSecurity

 

Thousands of companies throughout the UK are at risk of unwittingly breaking compliance regulations covering payment card data and other personal information when Microsoft withdraws support for Windows 2000 this July, IT security testing specialist, MWR InfoSecurity has warned.

 

Software support is crucial for any company handling payment card data to remain Payment Card Industry (PCI) compliant. The PCI Data Security Standard (DSS) lays down requirements to guarantee the safe storage of payment card data and prevent fraud. Using any operating system (OS) that is not supported by its vendor automatically results in a state of non-compliance – as well as an elevated risk to the consumer. Unsupported systems will not (by definition) receive vendor patches and hence will be non-compliant with PCI DSS requirement 6.1.

 

“One of the key factors that dramatically elevates the risk is the number of financial systems that may still be using older software because of a natural reluctance to upgrade critical systems which still ‘do the job’. This is expected to include back office systems as well as systems (PoS) used by retailers to record and process card payments,” said Jonathan Care, MWR InfoSecurity head of fraud risk and compliance.

 

‘Making do’ may introduce risks

 

MWR InfoSecurity said it has seen that many “turnkey” retail systems maintained under a third-party support agreement contain little or no support for OS refresh. The cost of testing a complex retail environment to ensure it will function on a new platform can be considerable. The unanticipated costs of responding to a breach and the consequent enforced upgrade will be considerably more, it added.

 

It warned that administrators could also be lulled into a false sense of security by the fact that, historically, legacy systems have not been seen to be subject to increased attack when support is withdrawn. But that ignores the considerable improvements in the levels of security offered by default by newer OSs, which make older, weaker systems an increasingly tempting target. It would be only natural for someone who had developed an exploit against a soon to be unsupported system to keep it under wraps until they knew it would not be patched, according to the firm.

 

A substantial percentage of business critical systems are still using and running Windows 2000 and should therefore be the main focal point of enforced upgrade programmes. Care said he felt that this has been overlooked by many retail organisations and will almost certainly result in a substantial (and unintended) decrease in compliance – and in security.

 

“The main issue with the withdrawal of support is that, should any new vulnerabilities be found in Windows 2000 after 13 July, Microsoft will not release any fix (patch) to rectify the security problem,” he added. “This will leave any Windows 2000 system open to attack and exploitation, an issue that could have a massive impact when you consider how many systems use Windows 2000 to process card data. Clearly this issue needs to be highlighted as a matter of priority.