Bank ATMs still not ready for XP Armageddon

In less than a month’s time we could see more computer machines installed in ATMs, running Windows XP or with Windows XP Support being exposed to potential threats. Why? Microsoft is pulling the plug on Windows XP on April 8. This raises serious security and compliance issues for the systems’ operators as it is estimated that more than six out of 10 ATM machines in the US run Windows XP.


According to the data made available by ATM Industry Association (ATMIA), about 38% of the nearly 425,000 ATMs in the U.S. that are powered by Windows XP will have migrate to a newer OS. On the other hand, The Payment Card Industry Security Standards Council (PCI SSC), the body that oversees security standards in the payments industry, has come clear on the process – ATMs still on Windows XP after April 8 will need to have certain compensating controls in place to be considered PCI compliant. It estimates that Windows XP powers 95% of ATMs in the world.

Microsoft XP was released in 2001 but remains widely used till date. Why have companies have failed to upgrade to different software?

  1. The magnitude of the migration and the huge cost involved.
  2. Require a technician to visit physically and hands-on upgrade. This increases the cost of upgrading to new OS by many folds.

Most Banks are already in the midst of transitioning from their current system to the newer ones as they are aware their customers use the machines on daily basis and any trouble or security threat would cause them great inconvenience.

Microsoft has been consistently reminding customers about the deadline, but the ATM industry has been slow to react to a potential problem, probably due to the tremendous involved in the exercise.

It is however to be noted that all ATM’s and other devices that run XP POSReady 2009 will get updates until 2019.

Posted by with Tags
The author Hemant Saxena is a post-graduate in technology and has an immense interest in following Microsoft and other technology developments around the world. Quiet by nature, he is an avid Lacrosse player.

One Comment

  1. Gregg L. DesElms

    Nice article! It’s more than just ATMs, though. Most people don’t realize the role that XP played in the Target credit card debacle.

    SEE | (Google search: target “credit card” breach)

    Nearly all of the red credit card swipe-and-sign terminals, in all the cash register lanes, in all of the US’s Target stores (which terminals were compromised, and from which the data from literally millions and millions of credit cards were stolen and then sold to hackers who then used them to make illegal purchases) were running (and continue to run) embedded XP.

    In fairness, though, XP being the OS didn’t really play a role, per se, in the ease with which the hackers accomplished the breach. It turns out that it would have happened exactly the same, even if the terminals had been running embedded Win8. The breach was due to a combination of Target IT staff not really knowing what in the heck it was doing, combined with the mechanics of the breach being OS-independent.

    Still, it’s interesting. Again, nice article. Between what it describes, and card skimming…

    SEE (Google search: “card skimmer” atm)

    …ATM users have to be really careful. Same with those who use their credit cards at gas pumps…

    …though users of cards issued by the gas station company are less at risk than are those who swipe their MasterCards and VISAs at gas pumps, where card skimming is an even more common thing.

    Additionally, swipers of MasterCards and VISAs (and other not-gas-company-issued, generalized credit cards) at gas pumps also end-up getting a whole bunch of their available credit above and beyond the amount of the actual purchase temporarily held/frozen, pending final clearing of the actual purchase amount through the merchant system.

    So, using MasterCard and/or VISA at a gas pump is just dumb, to begin with. Sadly, it’s becoming more and more true for those who use ATMs, as well.

    Gregg L. DesElms
    Napa, California USA
    gregg at greggdeselms dot com

    Veritas nihil veretur nisi abscondi.
    Veritas nimium altercando amittitur.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 9 =