1/28/2020

Windows 7 Extension Option for ATMs

As you know, Microsoft is ending the support for Windows 7 on January 14, 2020. In order to be in compliance with the Payment Card Industry Data Security Standard (PCI DSS) on machines that are still running Windows 7 after this date, an extension license is needed.  It’s important to note, this is not a permanent solution.  ESUs do not include new features, customer-requested non-security updates, or design change requests.[1] The Extended Security Update (ESU) program will distribute “Critical” and “Important” security updates only.

In many cases this can be an effective short-term strategy, allowing you more time to determine the best path for your institution.  Unfortunately, extensions obtained from the ATM manufacturers tend to be quite costly or come with strings attached (like a signed order for a future upgrade or replacement ATM).

Through Equips, you now have another option.  Under our Remote Managed Services Program, Equips is able to offer one of the most flexible solutions available to enhance your security posture. We are combining the Microsoft Windows Extended Security Updates (ESU) with our additional security features to offer a plan to keep the regulators at bay.

Contact Equips below for more information.

Why bother with Windows 10 at all?

Death, taxes, and Microsoft upgrades.  Like it or not, if your ATM runs on Windows, upgrades are a fact of life, and there are a number of valid arguments for migrating to Windows 10. New features and functionality are a draw for some, but most are doing it to remain compliant. All Financial Institutions are subject to PCI DSS compliance and requirement #6 affects your ATM network.

6.2 Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.[2] 

Financial Institutions are audited on a quarterly or annual basis for compliance. Not all states require compliance by law, though Visa, MasterCard, Amex, and Discover require this for cards to be issued on their networks.[3]  So in short, PCI DSS is applicable to all Financial Institutions, and Windows 7 end-of-life affects their ability to be compliant.  Your specific situation may vary, so some careful research on compliance requirements is recommended.

What are my options?

Do Nothing

While this is technically an option for Financial Institutions, it is one that leaves them open to risk and is not recommended. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines, and more.[4][5]   Avoiding or delaying upgrades is an option, but we encourage you to be aware of the potential risks before taking this path.

Temporarily Extend your Window 7 Security

As mentioned above, Equips can facilitate your Windows 7 ESU as a near term option while you evaluate your long-term strategy and goals.  This approach will provide you with the critical and important security updates you need with a simpler, cost-effective program.  Contact us to learn more about this option and how we can help with your strategy.

Upgrade to Windows 10 or Replace with a New ATM

This is the most straight-forward, albeit the most expensive, option. While Equips does not sell ATM equipment, we do help our clients through an un-biased, consultative voice to help you weed through the options.  We work with a network of nation-wide service providers and value-added resellers and can connect you with the right resources for your needs. If you are considering investing in new hardware and are looking for information on technology trends, equipment failure rates, or to talk to a peer who has been through this process, Equips can help.

I’m running Windows 10 so I’m all set, right?

Upgrading your ATMs to be running Windows 10 is a great first step. Now to stay compliant, make sure you are regularly patching and monitoring your network. For Equips clients, the key to maintaining a good security posture includes an ongoing cadence of monitoring and updating through the Equips Remote Managed Services. Our flexible solution offers a la carte options for monitoring, Windows patching, and additional security measures. Contact us to learn more.

1 https://www.atmmarketplace.com/blogs/does-our-fi-need-to-be-pci-compliant/

2 https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1541530394007

3 https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates

4 https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

5 https://www.mymoid.com/pci-non-compliance-consequences/

Ready to talk?

Let's lower your equipment maintenance costs