Digital Transactions Authoritative, insightful and timely information for payments professionals
Jim Daly
Microsoft next month will cease support for its Windows XP operating system, which runs hundreds of thousands of ATMs. But many ATM deployers seem to have adopted a “what, me worry?” attitude.
In the ATM world, April 8, 2014, could go down as April Fools’ Day a week late.
The fools, in this context, may be those ATM deployers that have made no plans for, much less upgraded, their machines to run on an operating system other than the 13-year-old Windows XP. Windows developer Microsoft Corp. on April 8 will cease issuing security patches and other support for XP as part of a long-known sunset process for an aged software product.
Windows XP runs an estimated 90%-plus of the world’s ATMs, according to industry executives. The only serious successor to XP as an ATM operating system currently in the market is Microsoft’s Windows 7, which debuted in 2009 but is much more popular than the latest version of Windows, Windows 8. But so far, deployers have upgraded or replaced surprisingly few ATMs running Windows XP, according to industry experts.
“Most people are not doing all that much, which is a bit surprising,” says ATM consultant Sam M. Ditzion, president and chief executive of Boston-based Tremont Capital Group Inc.
David Tente, USA executive director for the ATM Industry Association, says many deployers are keeping their plans close to the vest, but he adds that “my sense of it is … not too much [is] done so far.” ATMIA’s 300 U.S. corporate members operate an estimated 215,000 machines, about half the U.S. base, which in turn represents about a third of the approximately 2.5 million ATMs worldwide.
The Sky Won’t Fall
Many off-premise ATMs, however, run a separate version of Windows called Windows CE, also known as Windows Compact. A leading retail ATM manufacturer, Long Beach, Miss.-based Triton Systems of Delaware, says its proprietary edition of Windows CE is not affected by the Windows XP sunset.
But among Windows XP users, there’s little evidence of a mad rush to upgrade to Windows 7, even though unauthorized withdrawals totaled $300 million in 2012, according to the Federal Reserve’s recently released 2013 Payments Study. In a September poll of its 60-country membership that garnered fewer than 100 responses (half from financial institutions and half from independent deployers), only 38% of respondents said they would be changed over by April 8. Some 20% said they would convert after 2014 and another 20% were undecided.
Why the delay? Turns out, the sky won’t fall on April 9, though security will begin to erode gradually. And, technologically speaking, ATM deployers have already been through a lot in the past couple of years, and they’ve got more coming. In March 2012, for example, they had to meet stricter accessibility standards to comply with the Americans With Disabilities Act (ADA).
Next up is meeting the card networks’ deadlines for conversion of U.S. credit and debit cards to the EMV (Europay-MasterCard-Visa) chip card standard from the old and vulnerable magnetic stripe. A particularly important deadline is coming up in October 2016, when MasterCard Inc. will shift liability for fraudulent U.S. ATM transactions to the non-EMV-enabled issuer or deployer.
Then there is the coming of mobile payments and figuring out how to make ATMs relevant in a world where smart phones will function much the way plastic cards do now. Many banks, meanwhile, are still in the process of replacing old ATMs with imaging machines that take envelope-free deposits, and some even allow for live video interaction with a remote teller. Of course, there is ongoing compliance with the PCI Security Standards Council’s rules, including standards for PIN-accepting devices.
Some ATM deployers are waiting to convert their entire fleets at once, rather than on a piecemeal basis, says Tente. He also notes that licenses for an ATM version of Windows 7 became available only fairly recently.
Thus, upgrading to Windows 7 is just one of several important matters that ATM executives have on their plates in 2014.
“Most of the financial institutions are certainly watching this issue very closely, but don’t want to spend a huge amount of money and change their upgrade cycle just to deal with this one software issue,” says Ditzion.
The costs for upgrading to Windows 7 can vary widely. “It’s an ‘it depends’ question,” says Dean Stewart, senior director, self-service product management, at North Canton, Ohio-based ATM manufacturer Diebold Inc.
Costs include any needed hardware, software licensing fees, applications that run on top of the operating system, remote downloads, and visits by a technician in many cases. An upgrade for a relatively new machine that already has the proper hardware might be only a few hundred dollars. But old ATMs may not be able to run Windows 7, so a replacement could cost $5,000 to $15,000 or more.
No one can accuse Redmond, Wash.-based Microsoft of not being clear about the fate of Windows XP. The support clock for Windows XP was set back in 2004 and included five years of support followed by five years of so-called extended support, Stewart says, adding that “there seems to be no difference” between support and extended support. But after the extended-support period, support will cease.
“This is standard product sun-setting strategy and the announcement occurred quite a while ago,” Lois Hansen, vice president of product development for Co-Op Financial Services, a Rancho Cucamonga, Calif.-based processor and network-services provider for credit unions, says by email. “This should not come as a surprise to anyone.”
Probably the most important aspect of support is the so-called patches that fix security flaws, operating problems, and related bugs after they become known. As any computer user knows, Microsoft, Apple Inc., and many other software providers large and small constantly push out software patches.
‘There’s Always a Risk’
What’s so risky about continuing with Windows XP for a while? After all, most ATMs aren’t connected to the Internet the way many retail point-of-sale systems are, so barbaric hackers aren’t likely to be waiting at the electronic gates on April 8. And most non-violent ATM crime involves hardware, particularly skimmers and miniature cameras, that criminals place on ATMs to capture cardholder account data and PINs.
Still, ATM executives say the risk of fraud and malfunctions from unpatched software will rise over time.
“In the short term, we expect no processing or workflow problems,” says Hansen. “In the longer term and with the application of no more Microsoft security patches on the XP operating system, the credit unions who do not upgrade may be exposed to more fraud risk and they may not be able to add new features or functions to their existing ATMs.”
In a recent white paper for its membership, ATMIA said that since its launch, more than 700 vulnerabilities have been found on Windows XP.
Consultant Ditzion notes that while ATMs typically aren’t connected to the Internet, they usually are part of private networks managed by banks or processors. “Anytime there is network connectivity, anytime someone gets in the network, there is vulnerability,” he says. “As we’ve learned over the years, the bad guys are often smarter than the good guys.”
Adds Diebold’s Stewart: “There’s always potential, there’s always a risk. That’s why we’re encouraging customers to move.”
At the very least, not patching a card-accepting device such as an ATM risks putting the operator out of compliance with the PCI rules, says Patty Henneke, senior vice president and head of the ATM banking group at U.S. Bancorp. “More important, it’s the right thing to do,” she says.
For a big ATM deployer such as Minneapolis-based U.S. Bancorp, which operates nearly 5,000 ATMs and more than 3,000 U.S. Bank branches, graduating from Windows XP is a big job. Planning began back in 2010, says Henneke. About 99% of U.S. Bank ATMs are Diebold Opteva devices that run Diebold’s Agilis EmPower management application on top of Windows XP.
The changeover involved a visit to each machine to determine just what would needed. Much of the software work could be done remotely; in fact, a U.S. Bank employee developed a process for remotely downloading Windows 7, says Henneke.
Still, U.S. Bancorp had many ATMs too old to upgrade to comply with 2012’s stricter ADA mandates or to run Windows 7 two years later. So the company has replaced an undisclosed number of ATMs.
“It’s a cost-benefit analysis; we did replace a lot of the older machines,” says Henneke. “Our fleet was pretty old. We historically kept our machines as long as we could.”
U.S. Bancorp has put EMV card readers on its ATMs although it has not yet installed the software to run them, according to Henneke. She did not have cost figures on hand, but says the conversion process largely has gone well.
“It’s been really smooth, and I think that it’s years of planning that was the key to it,” she says. “Part of that was we’re not waiting in line for parts.”
‘Technology Refresh’
Stewart says that because most banks and credit unions weren’t ready for Windows 7, most new Diebold machines still ship with Windows XP but include so-called “migration rights,” or a license, to upgrade to Windows 7. Diebold began working with its financial-institution customers “in earnest” last year on conversion issues, including applications that will work with Windows 7.
The conversion is prompting financial institutions to look at new ATM technologies, including deposit imaging, he says. “It can spur a technology refresh and then allow those banks to provide additional services to their customers,” says Stewart.
Henneke also foresees long-term benefits despite the collective hassle of meeting the ADA mandates, dealing with the Windows XP sunset, planning for EMV, and figuring out just what new technological bells and whistles an ATM should have.
“I guess they’re a blessing and a curse,” she says. “It really has allowed ATM acquirers to add new technologies. It really has caused a revival in ATMs.”
