Will the world end for ATM owners on April 8? Not likely, but it could become less secure. That is the day Microsoft Corp. ends all support—including security updates—for Windows XP, a common operating system not only for PCs but also for ATMs. That has the ATM industry pondering a migration to Windows 7 or 8.
Security is a primary concern for ATM operators. “What it really comes down to is security updates and hot fixes,” says Sam M. Ditzion, chief executive of Boston-based Tremont Capital Group Inc., a consulting firm to the ATM industry. Hot fixes are patches meant to resolve a specific software problem. Windows 7 is the choice for most ATM operators, he says. “Almost no one is going to upgrade to Windows 8 for a range of reasons,” he says.
Without Windows XP security updates and hot fixes issued by Microsoft, ATMs that continue to use the operating system may be vulnerable to criminals. Unfortunately, ATM operators just now considering a migration to a new Windows operating system are running out of time, says David Tente, executive director the USA chapter of the ATM Industry Association, an international trade group of ATM independent sales organizations, vendors, processors, and related companies.
“The issues are primarily the short period of time they have to get this done and the licensing agreements with Microsoft,” Tente says. “Operators have to have a specific license to run Windows on ATMs.” He says some of the larger ATM operators are negotiating directly with Microsoft, “which is typically very expensive.”
But most smaller operators do not have the financial resources to do that, Ditzion says. It can cost a few hundred dollars to get a Windows 7 license, he says. “It depends on who they buy it from and the type of license,” Ditzion says.
The problem many ATM operators face now, with seven months left until April 8, is time, he says. “The problem is there are a lot of folks that will need to do more than simply download Windows 7 and install it,” Ditzion says. Most installations will require a technician to visit the ATM to perform the upgrade, and operators may have to replace machines that have processing cores incompatible with Windows 7.
Also complicating the decision is the expectation that chip cards will replace payment cards using magnetic stripes in the United States. The migration to chip cards, which adhere to the EMV protocol, is a few years away, but one ATM operators are advised to consider now, Ditzion says. U.S. merchants face an Oct. 1, 2015, deadline when counterfeit fraud will shift to them if they cannot process EMV card transactions. The liability shift for ATM operators is Oct. 1, 2016, and Oct. 1, 2017, according to decrees from MasterCard Inc. and Visa Inc., respectively.
“You don’t want to spend money to upgrade to Windows 7 and not be able to support EMV,” Ditzion says. “You want to be smart about this and think several moves ahead in the chess game.”
For example, Minneapolis-based US Bank is among the largest ATM operators—it has more than 4,900 machines—to migrate to Windows 7, a process underway that should be completed in early 2014. In addition to the software upgrades, encrypting PIN pads also will be installed along with EMV card readers on the machines, US Bank says.
Large or small, ATM operators have a diminishing amount of time to make their migration decisions, Ditzion says. “My concern is that by the time people make their decisions to do something, it could be too late and ATMs could be vulnerable.”