ATMs Face Deadline to Upgrade From Windows XP

The vast majority of automated teller machines have an April deadline to get off Windows XP
Illustration by 731

One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a few of the features that Wells Fargo, Bank of America, JPMorgan Chase, and other banks tout as the latest and greatest features of their fleets of ATMs. It’s hardly stuff to set the heart racing.

When ATMs were introduced more than 40 years ago, they were considered advanced technology. Today, not so much. There are 420,000 ATMs in the U.S., and on April 8, a deadline looms for nearly all of them that underscores how sluggishly the nation’s cash delivery system moves forward. That’s the day Microsoft cuts off tech support for Windows XP, meaning that ATMs running the software will no longer receive regular security patches and won’t be in compliance with industry standards. Most machines that get upgraded will shift to Windows 7, an operating system that became available in October 2009. (Some companies get a bit of a reprieve: For ATMs using a stripped-down version of XP known as Windows XP Embedded, which is less susceptible to viruses, Microsoft support lasts until early 2016.)

Inside every ATM casing is a computer, and like all such devices, each one runs on an OS. Microsoft’s 12-year-old Windows XP dominates the ATM market, powering more than 95 percent of the world’s machines and a similar percentage in the U.S., according to Robert Johnston, a marketing director at NCR, the largest ATM supplier in the U.S.

The many offshoots of the country’s jumbled ATM network, ranging from convenience stores that operate a single antiquated cash machine to national banks that oversee tens of thousands of terminals, are feeling the deadline in different ways, says Suzanne Cluckey, the editor of ATM Marketplace, a news site that serves the industry. More advanced ATM fleets can do the update over their networks. Older ATMs must be upgraded one by one or even replaced entirely if they don’t have enough computing power to run the newer, more demanding software. “My bank operates an ATM that looks like it must be 20 years old, and there’s no way that it can support Windows 7,” says Cluckey. “A lot of ATMs will have to either have their components upgraded or be discarded altogether and sold into the aftermarket—or just junked.”

Aravinda Korala, chief executive officer of ATM software provider KAL, says he expects only 15 percent of bank ATMs in the U.S. to be on Windows 7 by the April deadline. “The ATM world is not really ready, and that’s not unusual,” he says. “ATMs move more slowly than PCs.” While ATMs seem to be everywhere, their total number—an estimated 3 million worldwide, according to consulting firm Retail Banking Research—isn’t very many compared with the global base of Windows users. As a rule, security patches that directly affect the machines might be issued only once a quarter, Korala says.

Microsoft is selling custom tech support agreements that extend the life of Windows XP, although the cost can soar quickly—multiplying by a factor of five in the second year, says Korala. JPMorgan is buying a one-year extension and will start converting its machines to Windows 7 in July; about 3,000 of its 19,000 ATMs need enhancements before the process can begin, according to spokeswoman Patricia Wexler. A Wells Fargo spokeswoman says that the company is working with Microsoft and ATM manufacturers to upgrade its machines.

The cost to upgrade a single ATM to Windows 7 can range from a few hundred dollars if its hardware is adequate, says Stewart, to thousands of dollars if new components are required.

ATMs whose operators ignore the deadline will continue to function, says Dean Stewart, an executive at Diebold, which makes ATMs. They’ll just become more vulnerable to malware and other attacks against weaknesses discovered over time in Windows XP. (Customer balances are safe under the standard protections banks offer to ATM users against fraud.) “It’s a very real risk,” Stewart says. “No ATM operator wants to get his name in the paper.”

The ATM industry has faced deadlines of this kind before. “Basically, since the year 2000, they’ve gotten pretty good at these kind of planned crises,” says Rob Evans, the director of marketing at Nautilus Hyosung, another ATM manufacturer. New encryption standards became mandatory in 2002. In 2011 banks had to upgrade ATMs with audio technology to comply with the Americans With Disabilities Act.

There already is another deadline to consider: the 2015 switch to cards embedded with secure microchips. Amid reports of the recent theft of as many as 40 million card records from Target, some ATM operators are upgrading to the chip-based hardware at the same time they ditch Windows XP. “Banks will also look at this from a business perspective: If I’m tearing apart the machine, what else can we do?” says Evans.

U.S. Bancorp, with the fifth-largest bank ATM network, began planning for the switch in 2010, when its 5,000 machines were an average of 13 years old. That will be cut to five years by the April deadline, says Senior Vice President Patty Henneke. If all goes as planned, customers won’t notice any differences. “We hope it’s invisible,” she says.

Windows 7 brings new features such as support for multitouch interfaces. “Windows 7 allows a true, modern touch ability,” says NCR’s Johnston. “You can swipe, pinch, drag things around. That starts to meet customers’ expectations of what self-service should be as they move into the 21st century.” With iPad-like functionality on the horizon, ATMs would finally enter, if not the future, at least the recent past.

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE