April 8th marks their last day of officially supported Windows XP. Much to the chagrin of those who run an ATM network, today the majority of ATM's out there are still running Windows XP. What will this mean on April 9th?
For the consumer, it will mean very little. In fact, most consumers have no idea that a standard PC based operating system is running the software behind their bank or credit union's ATM. When I was installing ATM's, most of ours were running on a version of OS/2 Warp! The reality is that while this issue needs to be addressed, it is not something that is going to happen overnight and since most of the hacking of ATM's is more around the external components like card skimming, consumers should not be overly concerned.
The ATM's on April 9th will be as secure as they were on April 7th - however with no future upgrades or patches any new possible attack against XP based terminals could prove to be costly. After April 8th 2014, Windows XP will essentially have zero-day vulnerabilities for perpetuity - yikes!
Most individuals who go up to an ATM have no idea if it is running Windows XP or Windows 7. Anyone that at the machine level try to install some sort of a virus or trojan horse into a terminal will be at a disadvantage. All the components to get access to the OS are located inside the secured location of the branch that holds the ATM. It really would not be worthwhile to try and infiltrate the ATM in such a manner. If you get there - you may as well pop open the cash trays.
There are four choices a financial institution can take with regards to XP. The first, and least likely option is to do nothing. By doing nothing, the bank runs the risk of running a non PCI compliant device and could face fines, however it does not mean that once support ends that the ATM's do not run anymore. The next option is to arrange for an upgrade to the operating system while keeping the ATM pretty much in tact. While this strategy will work, it will take some time and expense to visit the numerous non-compliant ATM's.
Another option is to find a middleware solution that allows the bank to keep running the ATM on XP and provide the necessary security parameters required for PCI compliance. This would allow the financial institution to take a more structured approach to their ATM strategy, however does introduce another layer of cost. And the final option is the entire upgrade of the ATM to the latest and greatest applications and operating systems.
An ATM purchase can be thought of like most technology purchases - whereas it becomes technically obsolete long before it becomes mechanically obsolete. For many institutions, running an ATM for 10-15 years is common, and they may have a rolling upgrade of say 10% - 20% of all ATM's each year.
Certain compliance and enhanced technology like envelope free deposits can drive some of the upgrades a bit faster, but as institutions continue to look for ways to run more efficient, it is often the ATM which continues to operate that is often bypassed for other investments. Institutions should already have a plan in place today on how they are addressing this both in the short term and in the long term.
Posted by Marc DeCastro, Research Director - Consumer Banking, IDC Financial Insights