KARACHI: Microsoft ended support for its Windows 7 embedded products earlier in the year, putting the operating systems at greater security risk and more vulnerable to viruses. All Windows 7 users have stopped receiving software updates since January 14, 2020, which include security updates. Following the end of support, questions have been raised on the security and compliance of the financial institutions, dealing with ATMs, around the world.

There have been concerns on how Pakistan's ATM infrastructure is now more exposed to security threats after expiration of Microsoft support on security-related updates. It is important to note that Pakistan's ATM footprint has expanded to over 15,600 machines across the country, with a little over 500 million transactions conducted in FY20 alone, that amounted to Rs6 trillion. Pakistan's ATM ecosystem is largely brick and mortar, with only a handful of specialized multipurpose ATMs. This usually means low cost and low maintenance hardware requirements. Replacing the existing operating system to ensure security compliance could be a costly affair for some, because the Microsoft recommends replacing existing computers with new ones for optimal results. In some cases, replacement with new computers might even be inevitable, as Windows 10 hardware requirements are significantly higher than those for Window 7. That said, those banks continuing with Windows 7 are not necessarily violating the best practice or the global benchmark Payment Card Industry Data Security Standard (PCI DSS). The relevant clause number 6.2 of the PCI DSS reads: "Protect all system components and software from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release." From what it appears, in order to be PCI DSS compliant, all operating systems need to be upgraded from Windows 7 to Windows 10. But Microsoft still offers a window of opportunity to those who wish to continue with the existing operating system and/or are not ready yet to make the switch yet. Microsoft's Extended Security Update (ESU) programme is a last resort option for consumers who need to run Microsoft products past the end of support.

The ESU will be available for three years from the date of end of support, and most components last until January 2023. The customers are required to purchase the ESU updates to receive all security updates post the end of support. The ESU updates will not include design change requests, or new features. Given Pakistan's rather basic ATM infrastructure, any requirements beyond critical security update, may be considered additional. The central bank's compliance department would do well to ensure all banks have at least already opted for the ESU updates, if not the more-recommended switch to Windows 10.

Copyright Business Recorder, 2020