PCI warning on XP

[Todd]

Hi All,

A heads up.

I got this notice on PCI-DSS (Payment Card Industry – Data
Security Standard) credit card security concerning XP's
end of life from a security vendor:

if you are still using it [XP] after April 8, 2014, you
will be considered out of PCI Compliance. Unsupported
and unpatched environments are vulnerable to security
risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization’s inability to maintain
its systems and customer information

Oh Brother! All the arguing I used did not good. Looks
like some of my customers will be forced to upgrade, even
though XP will be just fine with good security software
installed. Probably better without M$'s crappy updates!

PCI has some good things in it. Most of it is a worthless
paper chase.

-T

 

[VanguardLH]

I got this notice on PCI-DSS (Payment Card Industry – Data
Security Standard) credit card security concerning XP's
end of life from a security vendor:

if you are still using it [XP] after April 8, 2014, you
will be considered out of PCI Compliance. Unsupported
and unpatched environments are vulnerable to security
risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization’s inability to maintain
its systems and customer information

And yet there are POS (Point of Sale) machines still running Windows 98.

 

[Todd]

I got this notice on PCI-DSS (Payment Card Industry – Data
Security Standard) credit card security concerning XP's
end of life from a security vendor:

if you are still using it [XP] after April 8, 2014, you
will be considered out of PCI Compliance. Unsupported
and unpatched environments are vulnerable to security
risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization’s inability to maintain
its systems and customer information

And yet there are POS (Point of Sale) machines still running Windows 98.

Hi Vanguard,

Maybe it is my old age making me jaded, but to me PCI is
not about credit card security so much as it is about
shifting liability to the merchant. PCI has so, so
many hoops to jump through that I can not imagine any
merchant being able to pass any "Audit" if there
was a breach. I can see their layers now pointing at the
merchant, yelling, "See, he was not PCI compliant!
He is liable." (Ass holes.)

Did you notice that these ass holes threatened "Public
notification"?

And, if you really cared about POS security, you wouldn't
use Windows to start with! You'd use Fedora Linux with
fully SELINUX compliant code. AND YOU'D USE AN ENCRYPTED
CARD READER!

All but one of my clients have just blown off PCI
when they get a load of its hoops.

I tell my clients, if they can get a stand alone
(not read by a computer) encrypted card reader,
to do their credit cards that way. (PayPros has some
nice models).

One of the things that catches folks a lot is the hoop
about whether or not your computer stores credit
card information. Most mistakenly think that means
the eventual destination of the card information.
And, it does mean that. But is also means every step
along the way. Windows stores keyboard text (your
swiper is just a keyboard) in a clear text buffer
in a know memory location that can be easily harvested
(Target's breach). And, that is also considered
storing card information on your computer.

Want to scare the pants off a merchant? Open any text
editor (Notepad will do), make sure it is in focus (active),
then swipe a magnetic card you don't care about through
their unencrypted card reader (I use my AAA club card).
What appears on the screen will AMAZE and ASTOUND.
It is that easy to steal a card with a memory
scrubber (Target's breach) of a keystroke monitor.

I will shut up now.

-T

 

[Todd]

I got this notice on PCI-DSS (Payment Card Industry – Data
Security Standard) credit card security concerning XP's
end of life from a security vendor:

if you are still using it [XP] after April 8, 2014, you
will be considered out of PCI Compliance. Unsupported
and unpatched environments are vulnerable to security
risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization’s inability to maintain
its systems and customer information

And yet there are POS (Point of Sale) machines still running Windows 98.

And will no doubt continue to run it for years to come.

Hi CRNG,

Okay I know I said I'd shut up, but ...

Did you notice the threat of "public notification"?
In effect "If you don't use a crappy dogs of an OS that
costs a ton in hardware to run and is less secure
and less stable than that old OS you are running
with decades of patches, then we are going to smear
you in public!"

No one wants a full business computer to run a single
function POS system! They just want to push the
button that says what size fries you want with that.
Like the computer in your microwave oven. Not like
an accountant running a spreadsheet on a full business
workstation. From a security standpoint, it is all
those extra functions that typically get you in trouble.

And most business systems get in trouble these days
from human engineering viruses (human gullibility).
THERE IS ONLY ONE QUESTION on the PCI questionnaire
about it (employee education). Ass holes trying
to shift liability...

I will do my best to shut up again,
-T

 

[Paul]

Hi All,

A heads up.

I got this notice on PCI-DSS (Payment Card Industry – Data
Security Standard) credit card security concerning XP's
end of life from a security vendor:

if you are still using it [XP] after April 8, 2014, you
will be considered out of PCI Compliance. Unsupported
and unpatched environments are vulnerable to security
risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization’s inability to maintain
its systems and customer information

Oh Brother! All the arguing I used did not good. Looks
like some of my customers will be forced to upgrade, even
though XP will be just fine with good security software
installed. Probably better without M$'s crappy updates!

PCI has some good things in it. Most of it is a worthless
paper chase.

-T

Why is a PCI system, using a desktop OS as a platform ?
Nice fat attack surface or something ?

Why isn't there an OS certified for the job, running
on these systems ? Something "locked down".

Paul

 

[Todd]

Hi All,

A heads up.

I got this notice on PCI-DSS (Payment Card Industry – Data
Security Standard) credit card security concerning XP's
end of life from a security vendor:

if you are still using it [XP] after April 8, 2014, you
will be considered out of PCI Compliance. Unsupported
and unpatched environments are vulnerable to security
risks. This may result in an officially recognized
control failure by an internal or external audit body,
leading to suspension of certifications, and/or public
notification of the organization’s inability to maintain
its systems and customer information

Oh Brother! All the arguing I used did not good. Looks
like some of my customers will be forced to upgrade, even
though XP will be just fine with good security software
installed. Probably better without M$'s crappy updates!

PCI has some good things in it. Most of it is a worthless
paper chase.

-T

Why is a PCI system, using a desktop OS as a platform ?

There are so many fun things you can do with them.
Automatic recurrent charges (with the customer's permission
of course), discounts for volume buying, refunds, promotions
(buy three of these get this other thing you don't want and
I can't sell for free), customer's buying history, etc..

Nice fat attack surface or something ?

No fooling, especially when using Windows

Why isn't there an OS certified for the job, running
on these systems ? Something "locked down".

Yes, Fedora Core Linux with SELINUX compliant software.
but just try and get folks to use it.

Me personally, I'd love to run it from NVROM. Just
try and add or hijack it!

Paul

And, all PCI's malarkey, they only require data at
rest to be encrypted. Data in motion doesn't have to
be. AAAAAAHHHHHHHH !!!!

Paul, you make too much sense for a PCI discussion/

-T