Why Migrating ATMs to Win 7 an Upheaval but Not a Crisis

 
 
By Chris Preimesberger  |  Posted 2014-05-14
 
 
 

Banking and financial-services IT are going through their biggest refreshes in decades right about now.

Not only is the April 8 Microsoft decommission of Windows XP operating systems forcing system managers to update their software and re-educate employees, but the advent of the Internet of things (IoT), cloud services and the proliferation of mobile devices is remolding the entire industry all over the globe.

We won't attempt to delve into all these trends in one eWEEK feature, but we will focus on one important topic here: How the exit of XP and the move to Windows 7 is affecting the operation of hundreds of thousands of ATM machines around the world.

For starters, the XP-to-Windows 7 caper is directly impacting automatic teller machines in your neighborhood and as far away as Africa, South America and the Far East. In fact, there is an installed Windows XP base of some 2.5 million ATMs in operation globally; NCR Corp. of Duluth, Ga. (which used to be known as National Cash Register Co.) supplies the IT for about 30 percent of them -- or about 740,000 machines.

'One of Biggest Upheavals in ATM Industry'

"This has been one of the biggest upheavels in the ATM industry in for some time, because it's not just a question of Microsoft deciding to end the support of XP; there are other issues around that as well," Robert Johnston, director of enterprise software marketing of NCR Corp. and a member of the team charged with keeping the IT of those 740,000 ATMs working, told eWEEK.

"While the banks aren't going to be dictated to by Microsoft in terms of dates as to when they will make the changeover, they are interested in compliance with the regulation called PCI (Payment Card Industry). That is the really the key driver in making banks take action and migrate their operating systems to Windows 7. More so than what's being forced by Microsoft."

The fact is, an ATM running Win XP can go for months and not require any IT update, but eventually the change will need to happen. NCR is, in fact, sending its crews out each day to make the updates one by one, and eventually will get to them all -- but it will take many more months to complete the job. Some newer ATMs can be updated remotely, but many have to do the upgrade manually -- an excruciatingly slow process. It depends upon how advanced each individual bank's IT system is, Johnston said.

ATM: The Opposite of a Desktop PC

"An ATM is an unattended automatic device, completely remote from any users who can control it,  from an IT point of view," Johnston said from his home in Edinburgh, Scotland. "It is the complete opposite from a desktop PC. The processes for security upkeep are quite significant.

"An ATM, unlike desktop or laptop PCs, which nowadays are almost like consumable business items, is a significant piece of capital equipment. These typically have an installed life of seven years or more. Deployers are reluctant to throw things away and replace the entire ATM unit most of the time, they're naturally going to prefer to do the smaller software upgrade to the new OS [version] wherever possible."

ATMs have a multi-layer IT system that include the operating system (Win XP) and, above that, something called the XFS layer, Johnston said. "That's a platform layer that allows anybody's software to run above it and for anybody's ATM to ride below it. For the XP machines, Microsoft supplies the OS and we [NCR] supply to the vendor the platform and the applications above that," Johnston said.

For security, NCR uses software called SolidCore, which guards the ATM against viruses and malware. "This keeps the PCI compliance in check," Johnston said, "and gives the deployers some breathing space to move across to Windows 7.

"It is late in terms of the Microsoft [end-of-service] date for XP, but it's not the calamity that some people have made it out to be."

Well-Controlled Migration Processes in Action

The entire changeover is a well-planned and controlled process that is governed by the financial requirements and the security compliance requirements, Johnston said. The fact that the banks, such as BofA, Citi, Wells Fargo and others, run their ATMs on a very secure network well-removed from the Internet makes the ATMs much less of a risk factor when moving data than most connected devices, he said.

At this time, about 80 percent of the NCR ATMs are running XP; only about 20 percent have been migrated to Windows 7, Johnston said.

In view of the constant updating of the Windows systems, are there any alternatives operating systems for banks to consider?

"This is a popular question at the moment. The industry is geared around PC architecture," Johnston said. "It's difficult to break away from it because all the major vendors are following that PC architecture. There's great economy of scale in keeping the status quo. That makes it difficult to break away from the Windows model, because you'd have to redesign everything.

"Because we have the platform layers of software which allow multi-vendor operation, that again has a certain momentum about it that makes it difficult for any manufacturer to move away from the Windows platform. That multi-vendor capability is very popular with customers, because they can choose independently between the software and hardware."

XP Has Done Yeoman's ATM Work for a Decade

The bottom line, Johnston said, is that even though "Windows has always come in for bad press and it's a subject to bash Microsoft, Windows XP, when it's properly managed and installed in an ATM environment, is extremely secure and has done very, very well over the last 10 years. Microsoft has invested a great deal of money is maintaining that security, and it's a trusted environment for the ATM industry."

Rocket Fuel