A lot of merchants may not realize that they are using point of sale technology that runs on Windows XP, which Microsoft will no longer support after April 8.
As a Payment Card Industry forensics investigator and qualified security assessor, Trustwave director Chris Pogue says he has worked on more than 2,000 breach investigations and has yet to see a merchant who has upgraded to Windows 7 or 8 at the point of sale. "Windows XP is usually what they are running," he says.
Merchants who are unsure of what's under the hood of their POS applications should check with their bank or security provider to determine what needs to be done to avoid becoming vulnerable as Microsoft stops issuing security updates, Pogue says.
Microsoft regularly alerts installers and users as to when an operating system will hit its end-of-life cycle. For XP, Microsoft halted mainstream support in 2009 and end of life hits on April 8, 2014.
"This has been on the IT roadmap for at least five years now," Pogue says. "But for merchants, it's clearly not their core competency and they have to rely on their POS integrators or POS companies. It's their responsibility as professionals who are aware of the situation."
Hackers are also aware of the situation, and many have likely waited until this day to launch code that exploits any unpatched vulnerabilities.
"If they released it before April 8, Microsoft is beholden to create a patch for it," Pogue says. "If they release it after April 8, they know nobody will be home and no one is going to stop them from robbing the house."
Hackers will also be watching for Microsoft to send out patches for potential vulnerabilities in the Windows 7 or 8 operating systems, says Al Pascual, senior analyst for Javelin Strategy & Research.
"Those alerts will be like a big red flag saying, 'Hey, odds are the same vulnerability exists in XP, but we are not going to fix that,'" Pascual says.
Small businesses will have the most issues because they lack dedicated IT staff, Pascual adds. "They are reliant on the POS manufacturer or software developer to provide security services and it puts them in a very difficult position."
Larger businesses, or even government entities, can upgrade systems more readily or even establish new contracts with Microsoft to continue servicing XP, Pascual says.
Merchants can still responsibly protect their systems if they use Windows XP, Pogue says.
"If the attacker finds a vulnerability in XP and launches an attack, he has to have access to the system he wants to attack," Pogue says. If a merchant has adequate controls on remote access and strong firewalls, the hacker may never get into the system in order to launch an attack, he adds.
For the same reasons, a completely updated and patched system also does not guarantee a silver bullet for security.
"If the merchant is operating the POS system under the default access password, or lacks firewalls, the hacker might just input the user name and password and get on," Pogue says.
More than a third of all desktop systems operate through Windows XP, according to Netmarketshare.com data. Though such data may not accurately portray how many merchant POS systems use XP as an operating system, it's a safe estimate to say it is likely equal to or greater than that number, Pogue says.
"The more important question might be how many merchants have no idea what system they are using," he adds. "All they see is the POS application; that's all they interact with."