On Tuesday, January 14, 2020, Microsoft released a patch for the Windows Operating System, which addressed significant vulnerabilities that had prompted the Cyber-security and Infrastructure Security Agency (CISA, a division of the Department of Homeland Security) to release an emergency directive to civilian Executive Branch Agencies instructing them to apply the newly released security patches in 10 days.
Several disclosed vulnerabilities were deemed to present “exceptional risk” to all Windows 10 operating systems. As a result, Pavilion Payments expedited the testing of the patching process across all Lightspeed kiosks and Lightspeed point-of-sale systems. In addition, they completed its assessment within two days, assuring casinos that the patch updates would not harm those system applications.
What’s the risk?
Though the CISA has expressed no active exploits of this vulnerability, casino operators are advised to expedite patching across all systems to protect sensitive data. However, since many operators rely on Windows as their primary operating system across their properties, all platforms touching this infrastructure could be vulnerable until converted to the patched version.
There are several risks if the patch updates are completed late. First, they include potential exposure of player personal data, such as birthdates, social security numbers, driver’s licenses, addresses, spending, and account numbers. In addition, casinos that wait to update their Windows 10 operating systems could be vulnerable to exposing sensitive information and harming long-established trust with their clientele.
Steps to take if relying on Windows 10 operating system
Recognizing that this is a global Windows issue impacting millions of computers, businesses, and individuals is essential. Additionally, a vulnerability rarely reaches the level of optics that this particular patch rollup has garnered. The very public disclosure backed by Microsoft, CISA, and the NSA underscores the potential threat level of the vulnerabilities. Thus, urgent action is warranted.
Here are simple steps to follow to ensure your casino and players are protected:
- Impacted operating systems include Windows 10, Server 2016, and Server 2019—partner with your I.T. department to identify which system the casino is currently using.
- Microsoft has already released the patches to address the vulnerabilities. Information can be obtained from Microsoft here. Thoroughly test the patch to ensure the update does not adversely impact systems before upgrading the live environment.
- If you are using point-of-sale applications, kiosks, ATMs, or other financial systems that collect, process, or store cardholder data [VIP Lightspeed POS] on a server that is running a vulnerable operating system, apply the necessary Windows patches following your organization’s standard procedures for patching. As these applications [VIP Lightspeed POS is a system that] handle sensitive data, they should be among the top priorities for system updates.
- Finally, conduct remediation of the vulnerable operating systems throughout the casino’s entire infrastructure, as outlined by the posted emergency directive via expedited patching.
Security and data protection are the highest priorities for Pavilion Payments. For live support from Pavilion Payments, contact our Casino Account Management Services (CAMS) team at
1 (800) 500-1973.