The Microsoft support lifecycle is changing
In 2016, Microsoft made a change to the life-cycle of the Windows operating system for Windows Embedded POSReady 7, Microsoft’s operating system designed for Point of Sale devices, resulting in end of life support on October 12, 2021. For those running POSReady 2009, the date is even earlier, on April 9th 2019. After POSReady 7 Extended Support ends, Point of Sale computers.
Retailers with legacy POS hardware terminals purchased prior to 2014 should closely examine which generation of processors their POS uses. Those that have Intel or AMD processors manufactured in the last 6 years or so will NOT be able to upgrade to 32-bit Windows 10. With no supported upgrade path to 32-bit Windows 10 many retailers are faced with either costly POS hardware and/or software upgrades.
While this may suit some retailers’ IT road-map and investment plans there are many that are seeking a secure way to extend the life of their existing POS hardware investment. Importantly, retailers want their investment cycles to be driven by business sand customer needs, not external supplier strategy.
The compliance implications of this change are significant. In section 6.2 of PCI-DSS version 3.2, all system components and software must be protected from known vulnerabilities by installing applicable vendor-supplied security patches. Critical security patches must be installed within one month of release.
If a vendor no longer supports an application or operating system, then there will be no software patches available. In this circumstance, it is no longer possible to use the software and still be PCI-DSS compliant without appropriate compensating controls. Without action, this will be the situation for impacted POS systems from 2021. Given that a planned upgrade for large retailers can run for 18 to 24 months, prompt action will be required.