Mobile
News
7/30/2013
12:22 PM
50%
50%

Banks Struggle To Get ATMs Off Windows XP

Most ATMS still run on Windows XP, according to one industry estimate. With less than nine months until Microsoft stops supporting the OS, a credit union exec explains why upgrading is so painful for financial institutions.

For starters, most of the major networks and processors that handle ATM transactions -- such as STAR and the gaggle of other logos you see plastered on debit cards and ATM terminals -- have only just recently finished certifying Windows 7 earlier this year, according to Campbell. Some are still in the process of doing so. ATMs that were upgraded to Windows 7 sooner might have run into network compatibility problems or related glitches.

Another big factor: an end-of-life deadline for an OS like Windows XP is just one hurdle in a steady stream of regulatory and technology challenges that financial institutions must plan for. Most ATM operators are still reeling from the recent implementation of the American Disabilities Act voice guidance requirements, for example. "[ADA compliance] pretty much crippled the ATM industry for six-plus months in 2012," Campbell said -- meaning no one had the resources to deal with issues such as Microsoft's fast-approaching support cutoff for XP.

Similarly, other ongoing initiatives and requirements, such as deposit automation, force managers to make a development-and-testing choice: Do I code this for XP or for Windows 7? The former often wins out because it's already in place and deadlines are deadlines.

For Campbell and other long-term planners in his line of work, the end of XP support moved into the top spot once ADA compliance efforts were complete. Still, some financial institutions might simply be unaware of the issue. "Not everybody has a clear idea of what they have in their machines," said Campbell, who is active in several industry trade groups. He added that some ATM operators might be aware of the XP cutoff but don't know enough about their hardware specifications to efficiently upgrade to Windows 7.

"If you don't know what hardware your machine is running on, you're going to be in a sad state when Diebold or NCR or whomever your manufacturer is comes out and says 'we're here to do your upgrade, but we can't because your machine is too slow,'" Campbell said.

Campbell noted that the longstanding mentality among ATM operators has been: "If it's working, leave it alone." He said that's slowly changing, but likely not fast enough to beat the end of XP support.

Marc DeCastro, research director at IDC Financial Insights, said that ATM upgrades, not unlike PC refreshes in corporate offices, get postponed when cash flow gets tight. "Often times it is an easy budget-saver to defer an ATM upgrade if the ATM is in fact doing what it is supposed to be doing, which is giving out cash and taking deposits," DeCastro said via email. Although the XP support cutoff might act as an upgrade catalyst for some financial institutions, DeCastro doesn't expect them to do so en masse. "The problem is that there is not much money being made with ATM technology, so to pay for this the bank [or] credit union will need to look to cut somewhere else," DeCastro said.

Both DeCastro and Campbell said it's unclear whether XP-based ATMs will spawn an increase in security issues after April 8. "While the sunset of any operating system should cause concern, I am not certain that most crooks will be able to identify the OS of an ATM, thus it is less likely that simply running an ATM with Windows XP represents a bigger threat," DeCastro said.

Campbell said it's "anybody's guess" as to whether XP-based ATMs will become more vulnerable to security threats. Other issues, such as the performance requirements of new versions of other ATM applications, will likely be a more visible glitch as XP continues to age. The most pressing issue is -- or at least should be -- PCI compliance, according to Campbell. That, backed by future functionality requests and security questions, helped Campbell make the case to his executive management that the credit union needed to fast-track their ATM upgrades. Campbell expects those upgrades to be completed before XP support ends.

"I just know that if you're a shop that's at all concerned about PCI, if [you get audited by] someone who knows how to read that 200-some items of PCI DSS, they're going to [ask]: 'Oh wait, are you still patching? Because XP is defunct,'" Campbell said. "No? Ding, here's an X mark for you."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
rradina
50%
50%
rradina,
User Rank: Ninja
7/30/2013 | 5:51:00 PM
re: Banks Struggle To Get ATMs Off Windows XP
I don't understand why banks are having such a tough time. Granted, XP's resource requirements are different than WIndows 7 so a new motherboard is probably a good idea but aside from installers and applications that do not follow guidelines dealing with registry access and where to write user-context files, Windows 7 should run Windows XP applications. However, if the ATMs make use of older peripheral standards such as serial ports, parallel ports or other custom expansion boards that interact with the ATM's mechanics, that could cause a lot of fustration. Although there are USB-based adapters for these older technologies, I've found many to have extremely poor quality drivers leading to unreliable peripheral operation. An unreliable ATM or one that fails to feed bills (but thinks it did) would lead to unhappy customers and high support costs.

IMO -- this is probably not as much of a software problem as it is a hardware problem.

Regarding being unsupported and failing PCI audits -- that's a huge issue but I don't think it will be a security Armageddon. If banks lock down network access and use white listing technology that monitors executables on disk and in memory (plus NX or XD chip tech that prevents code execution in data areas), the system is pretty difficult to compromise.
mykiralspirelli
50%
50%
mykiralspirelli,
User Rank: Apprentice
8/1/2013 | 11:53:43 AM
re: Banks Struggle To Get ATMs Off Windows XP
I agree fully with your statement of it being more hardware than software. I have witnessed first hand some of these smaller banks and the hardware they have is archaic (Serial ports and proprietary add-on cards). I think Microsoft has been fair about how long they will support XP. The OS is 13 years old and yes it was a favorite for most of us, but it is time to move on and upgrade. It is something all companies go through anymore and these small banks just need to bite the bullet and open their pocketbooks to get this corrected.
DaemonForce
50%
50%
DaemonForce,
User Rank: Apprentice
1/16/2014 | 8:20:59 PM
re: Banks Struggle To Get ATMs Off Windows XP
How hard could it be to build an embedded PC footprint as a cash transaction device? Cheap 5-10 year old mainboards, a cold single core processor, 1GB ram(if even that), a Disk On Module with a write filter copy of Windows 7 Embedded or maybe WinPE if desperate. This isn't difficult with Slackware or some minimalist linux either. It's just an operating system.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.