On Tuesday, January 14, 2020, Microsoft released a patch for the Windows Operating System, which addressed significant vulnerabilities that had prompted the Cyber-security and Infrastructure Security Agency (CISA, a division of the Department of Homeland Security) to release an emergency directive to civilian Executive Branch Agencies instructing them to apply the newly released security patches in 10 days.
Several of the disclosed vulnerabilities were deemed to present “exceptional risk” to all Windows 10 operating systems. As a result, Global Payments Gaming Solutions expedited testing of the patching process across all Lightspeed kiosks and Lightspeed point of sale systems and completed its assessment within 2 days, providing added assurance to casinos that the patch updates would not have an adverse impact on those system applications.
What’s the risk?
Though the CISA has expressed no active exploits of this vulnerability, casino operators are advised to expedite patching across all systems in order to protect sensitive data. Since many operators rely on Windows as their primary operating system across their properties, all platforms touching this infrastructure could be vulnerable until converted to the patched version.
There are several risks involved if the patch updates are not made as quickly as possible. This includes potential exposure of player personal data, such as birthdates, social security numbers, drivers’ licenses, address, spend, and account numbers. Casinos that wait to update their Windows 10 operating systems could be vulnerable to exposing sensitive information and harming long-established trust with their clientele.
Steps to take if relying on Windows 10 operating system
It is important to recognize that this is a global Windows issue, impacting millions of computers, businesses, and individuals. Additionally, it is rare that a vulnerability reaches the level of optics that this particular patch rollup has garnered. The very public disclosure backed by Microsoft, CISA and the NSA underscores the potential threat level of the vulnerabilities, thus urgent action is warranted.
Here are simple steps to follow to ensure your casino and players are protected:
- Impacted operating systems include Windows 10, Server 2016 and Server 2019. Partner with your I.T. department to identify which system the casino is currently using.
- Microsoft has already released the patches to address the vulnerabilities. Information can be obtained from Microsoft here. Thoroughly test the patch to ensure systems are not adversely impacted by the update before upgrading the live environment.
- If you are using point of sale applications, kiosk, ATMs, or other financial systems that collect, process or store cardholder data [VIP Lightspeed POS] on a server that is running a vulnerable operating system, apply the necessary Windows patches in accordance with your organization’s standard procedures for patching. As these applications [VIP Lightspeed POS is a system that] handle sensitive data, they should be among the top priorities for system updates.
- Finally, conduct remediation of the vulnerable operating systems throughout the casino’s entire infrastructure, as outlined by the posted emergency directive via expedited patching.
Security and data protection are of the highest priorities to Global Payments Gaming Solutions. For live support from Global Payments, contact our Casino Account Management Services (CAMS) team at
1 (800) 500-1973.