Banks Struggle To Get ATMs Off Windows XP - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:22 PM

Banks Struggle To Get ATMs Off Windows XP

Most ATMS still run on Windows XP, according to one industry estimate. With less than nine months until Microsoft stops supporting the OS, a credit union exec explains why upgrading is so painful for financial institutions.

For starters, most of the major networks and processors that handle ATM transactions -- such as STAR and the gaggle of other logos you see plastered on debit cards and ATM terminals -- have only just recently finished certifying Windows 7 earlier this year, according to Campbell. Some are still in the process of doing so. ATMs that were upgraded to Windows 7 sooner might have run into network compatibility problems or related glitches.

Another big factor: an end-of-life deadline for an OS like Windows XP is just one hurdle in a steady stream of regulatory and technology challenges that financial institutions must plan for. Most ATM operators are still reeling from the recent implementation of the American Disabilities Act voice guidance requirements, for example. "[ADA compliance] pretty much crippled the ATM industry for six-plus months in 2012," Campbell said -- meaning no one had the resources to deal with issues such as Microsoft's fast-approaching support cutoff for XP.

Similarly, other ongoing initiatives and requirements, such as deposit automation, force managers to make a development-and-testing choice: Do I code this for XP or for Windows 7? The former often wins out because it's already in place and deadlines are deadlines.

For Campbell and other long-term planners in his line of work, the end of XP support moved into the top spot once ADA compliance efforts were complete. Still, some financial institutions might simply be unaware of the issue. "Not everybody has a clear idea of what they have in their machines," said Campbell, who is active in several industry trade groups. He added that some ATM operators might be aware of the XP cutoff but don't know enough about their hardware specifications to efficiently upgrade to Windows 7.

"If you don't know what hardware your machine is running on, you're going to be in a sad state when Diebold or NCR or whomever your manufacturer is comes out and says 'we're here to do your upgrade, but we can't because your machine is too slow,'" Campbell said.

Campbell noted that the longstanding mentality among ATM operators has been: "If it's working, leave it alone." He said that's slowly changing, but likely not fast enough to beat the end of XP support.

Marc DeCastro, research director at IDC Financial Insights, said that ATM upgrades, not unlike PC refreshes in corporate offices, get postponed when cash flow gets tight. "Often times it is an easy budget-saver to defer an ATM upgrade if the ATM is in fact doing what it is supposed to be doing, which is giving out cash and taking deposits," DeCastro said via email. Although the XP support cutoff might act as an upgrade catalyst for some financial institutions, DeCastro doesn't expect them to do so en masse. "The problem is that there is not much money being made with ATM technology, so to pay for this the bank [or] credit union will need to look to cut somewhere else," DeCastro said.

Both DeCastro and Campbell said it's unclear whether XP-based ATMs will spawn an increase in security issues after April 8. "While the sunset of any operating system should cause concern, I am not certain that most crooks will be able to identify the OS of an ATM, thus it is less likely that simply running an ATM with Windows XP represents a bigger threat," DeCastro said.

Campbell said it's "anybody's guess" as to whether XP-based ATMs will become more vulnerable to security threats. Other issues, such as the performance requirements of new versions of other ATM applications, will likely be a more visible glitch as XP continues to age. The most pressing issue is -- or at least should be -- PCI compliance, according to Campbell. That, backed by future functionality requests and security questions, helped Campbell make the case to his executive management that the credit union needed to fast-track their ATM upgrades. Campbell expects those upgrades to be completed before XP support ends.

"I just know that if you're a shop that's at all concerned about PCI, if [you get audited by] someone who knows how to read that 200-some items of PCI DSS, they're going to [ask]: 'Oh wait, are you still patching? Because XP is defunct,'" Campbell said. "No? Ding, here's an X mark for you."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/16/2014 | 8:20:59 PM
re: Banks Struggle To Get ATMs Off Windows XP
How hard could it be to build an embedded PC footprint as a cash transaction device? Cheap 5-10 year old mainboards, a cold single core processor, 1GB ram(if even that), a Disk On Module with a write filter copy of Windows 7 Embedded or maybe WinPE if desperate. This isn't difficult with Slackware or some minimalist linux either. It's just an operating system.
User Rank: Apprentice
8/1/2013 | 11:53:43 AM
re: Banks Struggle To Get ATMs Off Windows XP
I agree fully with your statement of it being more hardware than software. I have witnessed first hand some of these smaller banks and the hardware they have is archaic (Serial ports and proprietary add-on cards). I think Microsoft has been fair about how long they will support XP. The OS is 13 years old and yes it was a favorite for most of us, but it is time to move on and upgrade. It is something all companies go through anymore and these small banks just need to bite the bullet and open their pocketbooks to get this corrected.
User Rank: Ninja
7/30/2013 | 5:51:00 PM
re: Banks Struggle To Get ATMs Off Windows XP
I don't understand why banks are having such a tough time. Granted, XP's resource requirements are different than WIndows 7 so a new motherboard is probably a good idea but aside from installers and applications that do not follow guidelines dealing with registry access and where to write user-context files, Windows 7 should run Windows XP applications. However, if the ATMs make use of older peripheral standards such as serial ports, parallel ports or other custom expansion boards that interact with the ATM's mechanics, that could cause a lot of fustration. Although there are USB-based adapters for these older technologies, I've found many to have extremely poor quality drivers leading to unreliable peripheral operation. An unreliable ATM or one that fails to feed bills (but thinks it did) would lead to unhappy customers and high support costs.

IMO -- this is probably not as much of a software problem as it is a hardware problem.

Regarding being unsupported and failing PCI audits -- that's a huge issue but I don't think it will be a security Armageddon. If banks lock down network access and use white listing technology that monitors executables on disk and in memory (plus NX or XD chip tech that prevents code execution in data areas), the system is pretty difficult to compromise.
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll