Why did many banks and retail chains begin to massively update self-service devices, cash registers and operating systems in 2020? How to navigate the variety of OS and update options? How to save on updating and not pay twice? Who and how should update the software on ATMs and other devices? What to do if it is technically impossible to update the OS? These and other questions are answered by Valery Drobyshevsky, director of the IoT department at Kvarta Technologies, and Dmitry Akhtanin, head of software development and security solutions, LAN ATMservice (part of the LANIT group).
At the beginning of 2020, an important event occurred that affected the functioning of devices in both banking and other sectors - the end of support for Windows 7 by Microsoft. It gave rise to a wave of tasks related to updating not only the operating system, but often the entire fleet of outdated self-service devices and cash registers. Thus, the end of support for Windows 7 “pushed” the processes of natural hardware modernization.
To understand what this means for the smart device industry, we need to say a few words about what “Microsoft support” actually means.
For the financial sector, the issue of ensuring maximum security for devices is especially critical, since it concerns a very real entity - money. And in other areas, such as retail, security, automation, government services, and so on, ensuring device protection has always been a top priority.
In addition to safety, there are three more important points - compliance with regulations, support for the latest equipment and new functionality of the equipment.
Each industry has its own regulations. In the banking industry, this is, for example, the Payment Card Industry Data Security Standard (PSI DSS): “All systems must have all appropriate software updates installed to protect against exploitation of vulnerabilities and the compromise of cardholder data” (Requirement 6 of the standard PCI DSS) . There are also requirements of the VISA International Payment System that all ATMs updated or installed in Russia after April 18, 2020 accept contactless cards and devices.
In industries working with personal data, the Law on the Security of Personal Data 152-FZ is applied: “Control of the installation of software updates, including updating the software of information security tools” (Order of the FSTEC of Russia No. 21 of 02/18/2013, section VIII “Control (analysis ) security of personal data") .
In the public sector, there is a risk of non-compliance with the requirements for connecting to government information systems: “When analyzing the vulnerabilities of an information system, the absence of known vulnerabilities in information security tools, hardware and software is checked, including taking into account information available to developers and obtained from other publicly available sources.” (clause 16.6 of the Information Protection Requirements. Order of the FSTEC of Russia dated February 11, 2013 No. 17).
As for supporting new equipment, this problem is encountered when servicing devices. New devices are often incompatible with unsupported operating systems, as hardware manufacturers focus primarily on the latest software versions.
So, the need for a supported operating system is obvious, but no manufacturer supports their OS indefinitely. New versions come out, and old ones become a thing of the past. Microsoft typically supports products for 10 years from the release date (this was the case before the release of Windows 10), sometimes extending this period slightly for various reasons. In January 2020, extended support for the most popular operating system in the past, Microsoft Windows 7, ended, so no patches, updates, patches, or antivirus databases are no longer arriving on devices, making them more and more vulnerable every day. But this OS runs hundreds of thousands of devices around the world! Among specialized devices based on Windows 7, the leaders are ATMs, kiosks and cash registers.
It is this reason, coupled with the moral and technical obsolescence of equipment, that has led to a wave of updates in industries not only traditionally associated with a high share of the use of computer devices in operational activities, but also particularly sensitive to security issues, such as the financial industry and retail.
The most common operating systems on ATMs and kiosks are Windows XP Professional for Embedded Systems and Windows 7 Professional for Embedded Systems, as well as their derivatives - Windows Embedded POSReady 2009 and Windows Embedded POSReady 7. Solutions for Windows 10 are just beginning to appear, and so far their release is being held back by the inertia of both hardware and application manufacturers.
To choose a solution to the support problem, we will divide the devices into three groups, according to the degree of their readiness for updating.
ESU is paid support for a specific Microsoft product after the end of the main and extended support phases, providing security-related updates, but only those classified as “Critical” and “Important” (classification available on the Microsoft website).
It is important to understand that ESU does not provide updates related to new features or non-security related errors (see Table 1).
You can buy ESU only for a certain period. In tab. 2 indicates these periods. For example, for Windows 7 for Embedded Systems, the maximum end date for paid support is January 10, 2023. However, you can buy ESU until January 2022 if you do not need such a long period of support. Of course, it will cost less.
After purchasing ESU, you receive special software that must be installed on the device (only affects Windows) and a key that activates receiving updates. The updates themselves are delivered to the device in the same way as before; there is no need to reconfigure anything. In this case, the original operating system key is not affected or changed. The ESU key is installed in addition to the existing key.
ESU updates will be available to internet-connected devices through Windows Update (WU), and can also be downloaded for offline installation through the Update Catalog on a monthly or as-needed basis.
Your delivery partner will assist you if there are any problems activating the ESU.
Important! ESU licenses for Windows Embedded operating systems are purchased only through the device manufacturer or service company, via the OEM channel (IoT)! We have seen cases where the ESU option was purchased, unknowingly, through a corporate CSP channel intended for office PCs, and the key simply did not work.
What do we end up with? Without stopping work, at minimal cost, we ensured the safe operation of existing kiosks, ATMs and cash registers until January 2023 and maintained compliance with regulations. And during this time, you can begin to gradually replace devices with more modern ones.
Microsoft has three main channels - retail (supplying keys or “boxed” products to individuals), corporate licensing (optimized for delivering software to organizations) and OEM (from the Original Equipment Manufacturer - supplying software to equipment manufacturers, including those discussed in this article devices).
Most often, the end user (bank, retail chain, etc.) applies to update software products from its software supplier or announces a tender for purchasing update licenses from the corporate channel, which is true for updating office PCs and servers. However, many do the same when upgrading kiosks, cash registers or ATMs, which is not optimal from a cost perspective and can lead to additional costs and problems with the functionality of the device.
The standard way to update such devices is to contact the manufacturer or a service company. The fact is that according to the OEM licensing agreement (namely, operating systems for specialized devices are supplied through this channel), device support must be performed by the manufacturer itself or its authorized contractor. This is due to the complexity and specificity of such devices, which often require preliminary preparation and testing of each update image to ensure its functionality. By purchasing updates through the corporate channel (Open Value, Enterprise Agreement, Select, etc.), the customer will be forced to resolve the issues of installing these updates themselves or pay a third-party company to solve problems. Also, a license for such an update will cost significantly more.
We often hear a statement like this: “I will buy a Windows enterprise license for ATMs, because if I need to replace this equipment in the future, I will keep the license with the company and I will not have to pay again.” However, let's see where this leads.
Let's imagine a situation - a bank purchased a Windows 10 Upgrade license for Windows 7 devices in the corporate channel, paying significant funds (the license in the corporate channel is the most expensive!). Everyone knows that a Windows 10 Upgrade license requires the presence of a previous version and is not legitimate without it - you cannot buy an Upgrade for an “empty” device.
Then the bank wrote off this ATM; the Windows Upgrade license actually remained with the bank. However, the “basic” Windows 7 license is written off along with the device, since the OEM license cannot be “torn off” from the device and is disposed of along with it! Consequently, such an Upgrade ceases to be legal. There is only one way out - to buy Windows 10 along with a new device (otherwise you cannot purchase the full version), in fact - for the second time! That is, there was initially no point in such a “link” to the company, and this step led to additional costs instead of the expected savings.
The right way would be to contact the manufacturer, integrator or service company for the Windows 10 IoT Enterprise Field Upgrade, a special license for upgrading existing devices. This license will be guaranteed to be cheaper (sometimes several times!) than Windows 10 Upgrade in the corporate channel, due to licensing features.
Another downside to purchasing an ATM and kiosk upgrade from the enterprise channel is the upgrade cycle you receive. Since 99% of people buy the cheaper version of Windows 10 Professional Upgrade, you (and your device) will get a SAC (Semi-Annual Channel) support cycle, which: a) is notorious for its spontaneous updates (SAC versions are what get so annoying with constant requests to update and reboots), b) is supported only for a year and a half, and then either update or lose support with all the consequences described above.
Unlike the enterprise channel, in the IoT channel you purchase Windows 10 IoT Enterprise - the most complete version of Windows 10 to date, which has an LTSC (Long-Term Servicing Channel) update cycle, guaranteed to provide 10 years of support and not bother your device with requests to update. And at the same time - the most favorable price.
Thus, for Group 3 devices that support Upgrade to Windows 10, the best option is to purchase a Windows 10 IoT Enterprise Field Upgrade license, which can be supplied by device manufacturers, integrators and service companies.
To purchase Extended Security Updates and Windows 10 IoT Enterprise Field Upgrade, please contact your device manufacturer, service company, or integrator, or email us.
At the beginning of 2020, an important event occurred that affected the functioning of devices in both banking and other sectors - the end of support for Windows 7 by Microsoft. It gave rise to a wave of tasks related to updating not only the operating system, but often the entire fleet of outdated self-service devices and cash registers. Thus, the end of support for Windows 7 “pushed” the processes of natural hardware modernization.
To understand what this means for the smart device industry, we need to say a few words about what “Microsoft support” actually means.
What are the benefits of updates?
We all use updates. Almost everyone regularly downloads updates for our mobile devices, because we know that the manufacturer has closed the vulnerabilities that hackers are constantly looking for in the complex code of operating systems, firmware and drivers, and we do not want our banking application to be used by a fraudster, or our personal data and the photographs fell into the wrong hands. In addition, updates bring new useful features, as well as bug fixes in the code and updates to the built-in antivirus software. Updates are released regularly, closing those vulnerabilities that have been found to date, and sometimes out of sequence if a critical vulnerability is discovered.For the financial sector, the issue of ensuring maximum security for devices is especially critical, since it concerns a very real entity - money. And in other areas, such as retail, security, automation, government services, and so on, ensuring device protection has always been a top priority.
In addition to safety, there are three more important points - compliance with regulations, support for the latest equipment and new functionality of the equipment.
Each industry has its own regulations. In the banking industry, this is, for example, the Payment Card Industry Data Security Standard (PSI DSS): “All systems must have all appropriate software updates installed to protect against exploitation of vulnerabilities and the compromise of cardholder data” (Requirement 6 of the standard PCI DSS) . There are also requirements of the VISA International Payment System that all ATMs updated or installed in Russia after April 18, 2020 accept contactless cards and devices.
In industries working with personal data, the Law on the Security of Personal Data 152-FZ is applied: “Control of the installation of software updates, including updating the software of information security tools” (Order of the FSTEC of Russia No. 21 of 02/18/2013, section VIII “Control (analysis ) security of personal data") .
In the public sector, there is a risk of non-compliance with the requirements for connecting to government information systems: “When analyzing the vulnerabilities of an information system, the absence of known vulnerabilities in information security tools, hardware and software is checked, including taking into account information available to developers and obtained from other publicly available sources.” (clause 16.6 of the Information Protection Requirements. Order of the FSTEC of Russia dated February 11, 2013 No. 17).
As for supporting new equipment, this problem is encountered when servicing devices. New devices are often incompatible with unsupported operating systems, as hardware manufacturers focus primarily on the latest software versions.
End of support for Windows 7: who is affected and what to do?
So, the need for a supported operating system is obvious, but no manufacturer supports their OS indefinitely. New versions come out, and old ones become a thing of the past. Microsoft typically supports products for 10 years from the release date (this was the case before the release of Windows 10), sometimes extending this period slightly for various reasons. In January 2020, extended support for the most popular operating system in the past, Microsoft Windows 7, ended, so no patches, updates, patches, or antivirus databases are no longer arriving on devices, making them more and more vulnerable every day. But this OS runs hundreds of thousands of devices around the world! Among specialized devices based on Windows 7, the leaders are ATMs, kiosks and cash registers.
It is this reason, coupled with the moral and technical obsolescence of equipment, that has led to a wave of updates in industries not only traditionally associated with a high share of the use of computer devices in operational activities, but also particularly sensitive to security issues, such as the financial industry and retail.
The most common operating systems on ATMs and kiosks are Windows XP Professional for Embedded Systems and Windows 7 Professional for Embedded Systems, as well as their derivatives - Windows Embedded POSReady 2009 and Windows Embedded POSReady 7. Solutions for Windows 10 are just beginning to appear, and so far their release is being held back by the inertia of both hardware and application manufacturers.
To choose a solution to the support problem, we will divide the devices into three groups, according to the degree of their readiness for updating.
- Group 1: Legacy Windows XP devices
with equipment that does not support modern processors that are impossible or economically unprofitable to transfer to Windows 7 or Windows 10. - Group 2. Not very old devices running Windows 7
which are impossible (or expensive) to upgrade to Windows 10 due to hardware incompatibility and device management software not being ready to run on Windows 10 at this time. And sometimes you just don’t want to touch a “well-oiled machine.” This is the most popular group of devices at present. - Group 3. Relatively modern devices still running Windows 7
but technically supporting an upgrade to Windows 10. As a rule, these are devices 3-4 years old.
- Group 1: “Time to Rest”
The fate of such devices is complete replacement. You can try to protect them with third-party tools, for example Kaspersky Embedded Systems Security, if this suits regulators and the information security service. As a rule, there is no point in updating their hardware; it is expensive and generally unjustified, although sometimes such attempts are made. Since our article is devoted to updating Windows OS, we will not consider this group in detail. - Group 2: “We’ll serve again!”
Group 2 is characterized by the impossibility of moving to a supported Windows 10 while at the same time being in an acceptable state to continue working for several more years. The goal is to ensure delivery of security updates for Windows 7 installed on these devices.
ESU is paid support for a specific Microsoft product after the end of the main and extended support phases, providing security-related updates, but only those classified as “Critical” and “Important” (classification available on the Microsoft website).
It is important to understand that ESU does not provide updates related to new features or non-security related errors (see Table 1).
You can buy ESU only for a certain period. In tab. 2 indicates these periods. For example, for Windows 7 for Embedded Systems, the maximum end date for paid support is January 10, 2023. However, you can buy ESU until January 2022 if you do not need such a long period of support. Of course, it will cost less.
After purchasing ESU, you receive special software that must be installed on the device (only affects Windows) and a key that activates receiving updates. The updates themselves are delivered to the device in the same way as before; there is no need to reconfigure anything. In this case, the original operating system key is not affected or changed. The ESU key is installed in addition to the existing key.
ESU updates will be available to internet-connected devices through Windows Update (WU), and can also be downloaded for offline installation through the Update Catalog on a monthly or as-needed basis.
Your delivery partner will assist you if there are any problems activating the ESU.
Important! ESU licenses for Windows Embedded operating systems are purchased only through the device manufacturer or service company, via the OEM channel (IoT)! We have seen cases where the ESU option was purchased, unknowingly, through a corporate CSP channel intended for office PCs, and the key simply did not work.
What do we end up with? Without stopping work, at minimal cost, we ensured the safe operation of existing kiosks, ATMs and cash registers until January 2023 and maintained compliance with regulations. And during this time, you can begin to gradually replace devices with more modern ones.
- Group 3: “Cheerful and cheerful!”
In this group, we have completely modern devices that can be updated to a new operating system without any problems and thereby ensure compliance with all regulations. One question - how to do this at minimal cost?
Microsoft has three main channels - retail (supplying keys or “boxed” products to individuals), corporate licensing (optimized for delivering software to organizations) and OEM (from the Original Equipment Manufacturer - supplying software to equipment manufacturers, including those discussed in this article devices).
Most often, the end user (bank, retail chain, etc.) applies to update software products from its software supplier or announces a tender for purchasing update licenses from the corporate channel, which is true for updating office PCs and servers. However, many do the same when upgrading kiosks, cash registers or ATMs, which is not optimal from a cost perspective and can lead to additional costs and problems with the functionality of the device.
The standard way to update such devices is to contact the manufacturer or a service company. The fact is that according to the OEM licensing agreement (namely, operating systems for specialized devices are supplied through this channel), device support must be performed by the manufacturer itself or its authorized contractor. This is due to the complexity and specificity of such devices, which often require preliminary preparation and testing of each update image to ensure its functionality. By purchasing updates through the corporate channel (Open Value, Enterprise Agreement, Select, etc.), the customer will be forced to resolve the issues of installing these updates themselves or pay a third-party company to solve problems. Also, a license for such an update will cost significantly more.
We often hear a statement like this: “I will buy a Windows enterprise license for ATMs, because if I need to replace this equipment in the future, I will keep the license with the company and I will not have to pay again.” However, let's see where this leads.
Let's imagine a situation - a bank purchased a Windows 10 Upgrade license for Windows 7 devices in the corporate channel, paying significant funds (the license in the corporate channel is the most expensive!). Everyone knows that a Windows 10 Upgrade license requires the presence of a previous version and is not legitimate without it - you cannot buy an Upgrade for an “empty” device.
Then the bank wrote off this ATM; the Windows Upgrade license actually remained with the bank. However, the “basic” Windows 7 license is written off along with the device, since the OEM license cannot be “torn off” from the device and is disposed of along with it! Consequently, such an Upgrade ceases to be legal. There is only one way out - to buy Windows 10 along with a new device (otherwise you cannot purchase the full version), in fact - for the second time! That is, there was initially no point in such a “link” to the company, and this step led to additional costs instead of the expected savings.
The right way would be to contact the manufacturer, integrator or service company for the Windows 10 IoT Enterprise Field Upgrade, a special license for upgrading existing devices. This license will be guaranteed to be cheaper (sometimes several times!) than Windows 10 Upgrade in the corporate channel, due to licensing features.
Another downside to purchasing an ATM and kiosk upgrade from the enterprise channel is the upgrade cycle you receive. Since 99% of people buy the cheaper version of Windows 10 Professional Upgrade, you (and your device) will get a SAC (Semi-Annual Channel) support cycle, which: a) is notorious for its spontaneous updates (SAC versions are what get so annoying with constant requests to update and reboots), b) is supported only for a year and a half, and then either update or lose support with all the consequences described above.
Unlike the enterprise channel, in the IoT channel you purchase Windows 10 IoT Enterprise - the most complete version of Windows 10 to date, which has an LTSC (Long-Term Servicing Channel) update cycle, guaranteed to provide 10 years of support and not bother your device with requests to update. And at the same time - the most favorable price.
Thus, for Group 3 devices that support Upgrade to Windows 10, the best option is to purchase a Windows 10 IoT Enterprise Field Upgrade license, which can be supplied by device manufacturers, integrators and service companies.
PS
In this article, we looked at the most common options for maintaining security and compliance with the regulations of your devices: Extended Security Updates (ESU) - paid extension of support for legacy ATMs, cash registers and kiosks based on Windows 7 until 2023 and a Windows 10 IoT Enterprise Field Upgrade license for those devices, which support Windows 10. However, there are many more scenarios in real life. Contact us, we are ready to consider your specific case and offer the optimal solution!To purchase Extended Security Updates and Windows 10 IoT Enterprise Field Upgrade, please contact your device manufacturer, service company, or integrator, or email us.
