Earlier this year, Microsoft ended support for its embedded Windows 7 products, placing operating systems at higher security risk and more vulnerable to viruses. Since January 14, 2020, all Windows 7 users have stopped receiving software updates, including security updates. After the conclusion of the aid, concerns were raised around the world about the security and compliance of financial institutions dealing with ATMs.
Concerns have been raised about how Pakistan’s ATM infrastructure is now more vulnerable to security threats with security-related updates following the expiry of Microsoft support. It is important to note that Pakistan’s ATM footprint has grown to more than 15,600 machines across the world, amounting to Rs6 trillion, with just over 500 million transactions conducted in FY20 alone.
With just a handful of advanced multipurpose ATMs, Pakistan’s ATM ecosystem is mostly brick and mortar. This typically implies low cost and low hardware requirements for repair. It may be an expensive job for others to upgrade the current operating system to ensure security compliance, since Microsoft suggests replacing existing machines with new ones for better performance.
In some cases, replacement with new computers may also be necessary, as Windows 10 hardware specifications are considerably higher than those for Window 7. The best practices or the global Payment Card Industry Data Protection Standard (PCI DSS) benchmark are not inherently breached by those banks continuing with Windows 7.
The clause number 6.2 of the PCI DSS states, “Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.” It means that operating systems must be upgraded from Windows 7 to Windows 10 in order to be PCI DSS compliant. But Microsoft also gives those who want to stick with the current operating system and/or are not yet ready to make the transition a window of opportunity. For consumers who need to run Microsoft products after the end of support, Microsoft’s Extended Security Update (ESU) programme is a last resort solution.
The ESU will be eligible for a period of three years from the date of the end of the assist and will last until January 2023 for most of the components. To receive all security updates after the end of support, customers are expected to purchase the ESU updates. No design improvement requests or new functionality will be included in the ESU updates.
Given Pakistan’s very simple ATM infrastructure, any requirements beyond critical security upgrade, may be considered additional. The compliance department of the central bank will do well to ensure that all banks, if not the more recommended move to Windows 10, have at least already opted for the ESU updates.