The ATMIA earlier this month released a white paper outlining several of the risks that operators face by choosing to remain on Windows XP. The paper is available only to registered members of the association.
An executive summary provided to Computerworld highlighted several issues. Since Windows XP was launched, more than 700 vulnerabilities have been found in the operating system. "After April 8th 2014, Windows XP will essentially have zero-day vulnerabilities for perpetuity," the statement noted.
Most ATM hacks have been at the hardware level and through the use of devices like skimmers. Other security risks include attacks on an ATM's network, local ports, or browser, the summary said.
Without Microsoft's technical support and security fixes, ATM operators also risk falling out of compliance with requirement 6.2 of the PCI DSS, which stipulates that all system components handling credit and debit cards are fully supported by a software or hardware vendor.
"If a vendor isn't providing patches due to support having been discontinued, then by definition that system cannot be PCI DSS compliant," said Jim Huguelet, an independent retail security consultant. "As a general rule, retailers would be concerned about running any systems without access to ongoing security analysis and patches, but it is PCI DSS requirement 6.2 that brings the issue to the forefront."
A joint statement issued by the PCI SSC and the ATMIA pointed to several compensation controls that ATM operators can implement to remain compliant with PCI requirements even while remaining on Windows XP.
"To be effective, the compensating controls must protect the system from vulnerabilities that may lead to exploit of the unsupported code," the statement said.
Examples of controls that could be used combined to mitigate risk include active monitoring of system logs and network traffic, application whitelisting and isolating Windows XP systems from other systems and networks. Each control by itself is insufficient, but when combined, could potentially qualify as a compensating control from a PCI compliance standpoint.
"Compensating controls should only be considered a temporary solution," Troy Leach, CTO of the PCI SSC, said in the statement. "Organizations should have a migration plan to upgrade in a reasonable amount of time to a supported operating system as the OS serves as the foundation for services and other security controls related to protecting cardholder data."