Banks Struggle To Get ATMs Off Windows XP

Most ATMS still run on Windows XP, according to one industry estimate. With less than nine months until Microsoft stops supporting the OS, a credit union exec explains why upgrading is so painful for financial institutions.
For starters, most of the major networks and processors that handle ATM transactions -- such as STAR and the gaggle of other logos you see plastered on debit cards and ATM terminals -- have only just recently finished certifying Windows 7 earlier this year, according to Campbell. Some are still in the process of doing so. ATMs that were upgraded to Windows 7 sooner might have run into network compatibility problems or related glitches.

Another big factor: an end-of-life deadline for an OS like Windows XP is just one hurdle in a steady stream of regulatory and technology challenges that financial institutions must plan for. Most ATM operators are still reeling from the recent implementation of the American Disabilities Act voice guidance requirements, for example. "[ADA compliance] pretty much crippled the ATM industry for six-plus months in 2012," Campbell said -- meaning no one had the resources to deal with issues such as Microsoft's fast-approaching support cutoff for XP.

Similarly, other ongoing initiatives and requirements, such as deposit automation, force managers to make a development-and-testing choice: Do I code this for XP or for Windows 7? The former often wins out because it's already in place and deadlines are deadlines.

For Campbell and other long-term planners in his line of work, the end of XP support moved into the top spot once ADA compliance efforts were complete. Still, some financial institutions might simply be unaware of the issue. "Not everybody has a clear idea of what they have in their machines," said Campbell, who is active in several industry trade groups. He added that some ATM operators might be aware of the XP cutoff but don't know enough about their hardware specifications to efficiently upgrade to Windows 7.

"If you don't know what hardware your machine is running on, you're going to be in a sad state when Diebold or NCR or whomever your manufacturer is comes out and says 'we're here to do your upgrade, but we can't because your machine is too slow,'" Campbell said.

Campbell noted that the longstanding mentality among ATM operators has been: "If it's working, leave it alone." He said that's slowly changing, but likely not fast enough to beat the end of XP support.

Marc DeCastro, research director at IDC Financial Insights, said that ATM upgrades, not unlike PC refreshes in corporate offices, get postponed when cash flow gets tight. "Often times it is an easy budget-saver to defer an ATM upgrade if the ATM is in fact doing what it is supposed to be doing, which is giving out cash and taking deposits," DeCastro said via email. Although the XP support cutoff might act as an upgrade catalyst for some financial institutions, DeCastro doesn't expect them to do so en masse. "The problem is that there is not much money being made with ATM technology, so to pay for this the bank [or] credit union will need to look to cut somewhere else," DeCastro said.

Both DeCastro and Campbell said it's unclear whether XP-based ATMs will spawn an increase in security issues after April 8. "While the sunset of any operating system should cause concern, I am not certain that most crooks will be able to identify the OS of an ATM, thus it is less likely that simply running an ATM with Windows XP represents a bigger threat," DeCastro said.

Campbell said it's "anybody's guess" as to whether XP-based ATMs will become more vulnerable to security threats. Other issues, such as the performance requirements of new versions of other ATM applications, will likely be a more visible glitch as XP continues to age. The most pressing issue is -- or at least should be -- PCI compliance, according to Campbell. That, backed by future functionality requests and security questions, helped Campbell make the case to his executive management that the credit union needed to fast-track their ATM upgrades. Campbell expects those upgrades to be completed before XP support ends.

"I just know that if you're a shop that's at all concerned about PCI, if [you get audited by] someone who knows how to read that 200-some items of PCI DSS, they're going to [ask]: 'Oh wait, are you still patching? Because XP is defunct,'" Campbell said. "No? Ding, here's an X mark for you."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing