Banks Struggle To Get ATMs Off Windows XP

Most ATMS still run on Windows XP, according to one industry estimate. With less than nine months until Microsoft stops supporting the OS, a credit union exec explains why upgrading is so painful for financial institutions.

Kevin Casey, Contributor

July 30, 2013

7 Min Read
InformationWeek logo in a gray background | InformationWeek

8 Windows 8 Apps Under $25

8 Windows 8 Apps Under $25


8 Windows 8 Apps Under $25(click image for larger view and for slideshow)

They're so commonplace that you'd be forgiven for forgetting that they're computers, albeit limited to a single application: Handling cash.

Automated teller machines, better known as ATMs, are indeed computers, though, even if we don't think of them in the traditional "PC" sense. There's a screen, a keypad, a user interface. Under the hood, there's memory, a processor and other hardware. There's also an operating system -- and if you had to bet your checking account, the smart money would say your ATM runs on Windows XP.

"It's like any other Windows-based PC," said John Campbell, manager of the automated delivery systems department at Virginia Credit Union, in an interview. "I tell the new hires here at work 'remember, your ATM is just this' -- and I point to the PC on their desk. And just like a PC at work or at home, Windows gets grumpy [in certain scenarios]."

Most ATMs used to run on IBM's OS/2. That changed in the early 2000s, according to Campbell, when IBM began phasing out OS/2 and later announced it would end support for the software. Most OS/2 terminals were upgraded to Windows XP-based systems. Although that enabled a good deal more functionality and potential applications, it added an equal dose of complexity.

[ Where is Microsoft's operating system headed? Read Microsoft's Dilemma: Windows 8.1 May Not Be Enough. ]

"Nobody was ever hacked in OS/2," Campbell said, noting the popularity of Windows as a target for online criminals. "There's a lot more behind-the-scenes work you've got to do with these ATMs than you ever had to do in the OS/2 world."

Virginia Credit Union, with more than $2 billion in assets, operates 16 branches that count state employees as their largest customer segment. The bank's 34 ATMs have all been upgraded during the last several years to modern, full-functioning terminals running on XP. That gives it much in common with the rest of the ATM industry.

Dean Stewart, senior director of core product solutions at Diebold, one of the major ATM service providers, estimated that around 75% of ATMs in the U.S. are based on XP. Microsoft will end support for the popular but aged OS on April 8, 2014, less than nine months from now.

Although some banks and credit unions, Campbell's included, are busy upgrading their fleets to Windows 7 before next April, you don't need to be a math major to figure out that plenty of cash machines will still be running XP after the support cutoff. "It's not a simple flip," Campbell said.

Atop the list of problems that poses: running an unsupported OS would render a financial institution non-compliant with payment card industry (PCI) requirements. If declared non-compliant in an audit, fines could run thousands -- even tens of thousands -- of dollars per month, a potentially crippling cost for smaller financial institutions, according to Diebold's Stewart.

There are lots reasons why XP remains the dominant software powering so many ATMs. Several of them should sound familiar to IT pros that handle OS migrations for their corporate PC portfolios: Budget, hardware performance, and compatibility issues should make a few heads nod in agreement.

Other factors are specific to the banking industry and the operational complexity of managing ATMs. To the end user, ATMs are quite simple: They take deposits and spit out cash. For folks in Campbell's shoes, they're expensive and complicated machines that require a lot of upkeep. For starters, most of the major networks and processors that handle ATM transactions -- such as STAR and the gaggle of other logos you see plastered on debit cards and ATM terminals -- have only just recently finished certifying Windows 7 earlier this year, according to Campbell. Some are still in the process of doing so. ATMs that were upgraded to Windows 7 sooner might have run into network compatibility problems or related glitches.

Another big factor: an end-of-life deadline for an OS like Windows XP is just one hurdle in a steady stream of regulatory and technology challenges that financial institutions must plan for. Most ATM operators are still reeling from the recent implementation of the American Disabilities Act voice guidance requirements, for example. "[ADA compliance] pretty much crippled the ATM industry for six-plus months in 2012," Campbell said -- meaning no one had the resources to deal with issues such as Microsoft's fast-approaching support cutoff for XP.

Similarly, other ongoing initiatives and requirements, such as deposit automation, force managers to make a development-and-testing choice: Do I code this for XP or for Windows 7? The former often wins out because it's already in place and deadlines are deadlines.

For Campbell and other long-term planners in his line of work, the end of XP support moved into the top spot once ADA compliance efforts were complete. Still, some financial institutions might simply be unaware of the issue. "Not everybody has a clear idea of what they have in their machines," said Campbell, who is active in several industry trade groups. He added that some ATM operators might be aware of the XP cutoff but don't know enough about their hardware specifications to efficiently upgrade to Windows 7.

"If you don't know what hardware your machine is running on, you're going to be in a sad state when Diebold or NCR or whomever your manufacturer is comes out and says 'we're here to do your upgrade, but we can't because your machine is too slow,'" Campbell said.

Campbell noted that the longstanding mentality among ATM operators has been: "If it's working, leave it alone." He said that's slowly changing, but likely not fast enough to beat the end of XP support.

Marc DeCastro, research director at IDC Financial Insights, said that ATM upgrades, not unlike PC refreshes in corporate offices, get postponed when cash flow gets tight. "Often times it is an easy budget-saver to defer an ATM upgrade if the ATM is in fact doing what it is supposed to be doing, which is giving out cash and taking deposits," DeCastro said via email. Although the XP support cutoff might act as an upgrade catalyst for some financial institutions, DeCastro doesn't expect them to do so en masse. "The problem is that there is not much money being made with ATM technology, so to pay for this the bank [or] credit union will need to look to cut somewhere else," DeCastro said.

Both DeCastro and Campbell said it's unclear whether XP-based ATMs will spawn an increase in security issues after April 8. "While the sunset of any operating system should cause concern, I am not certain that most crooks will be able to identify the OS of an ATM, thus it is less likely that simply running an ATM with Windows XP represents a bigger threat," DeCastro said.

Campbell said it's "anybody's guess" as to whether XP-based ATMs will become more vulnerable to security threats. Other issues, such as the performance requirements of new versions of other ATM applications, will likely be a more visible glitch as XP continues to age. The most pressing issue is -- or at least should be -- PCI compliance, according to Campbell. That, backed by future functionality requests and security questions, helped Campbell make the case to his executive management that the credit union needed to fast-track their ATM upgrades. Campbell expects those upgrades to be completed before XP support ends.

"I just know that if you're a shop that's at all concerned about PCI, if [you get audited by] someone who knows how to read that 200-some items of PCI DSS, they're going to [ask]: 'Oh wait, are you still patching? Because XP is defunct,'" Campbell said. "No? Ding, here's an X mark for you."

About the Author

Kevin Casey

Contributor

Kevin Casey is a writer based in North Carolina who writes about technology for small and mid-size businesses.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights