Compliance Blog

Written by Kavitha Subramanian, Regulatory Intern

Although you wouldn’t realize with the never-ending stream of polar vortexes, April is almost upon us! For many it hopefully means warmer weather and sunny days. But for thousands of ATM operators, it means scrambling to keep their machines secure from potential security risks.

Last year, Microsoft announced that starting on April 8, 2014, it will discontinue supporting its Windows XP operating system which currently is the support system for about 95 percent of the 420,000 ATMs in the U.S. according to a Bloomberg report. And, NCUA officials believe that about 75 percent of credit unions rely on Windows XP.

Due to concerns raised by the financial services industry, Microsoft announced that for a fee it will continue to provide updates and security patches for some Windows XP users until July 2015. While these individually negotiated agreements between Microsoft and ATM operators may be a viable medium-term option for the largest banks such as JPMorgan and Wells Fargo, it probably isn’t feasible for most credit unions. According to a survey conducted by the ATM Industry Association, only about a third of ATM operators said that they would be able to change machines over from Windows XP by the April 8 deadline.

What will this all mean for your credit union?

For starters, since Microsoft will no longer provide regular software fixes to prevent malware, any ATM that continues to run on Windows XP is at a much greater risk for a security breach. Microsoft warns that ATM operators must update their operating systems as soon as possible. “Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited,” Microsoft says on its Malware Protection Center blog. NCUA’s Ben Hardaway has also expressed increased concern for the industry since, “The discontinuation of that operating system opens those systems up for viruses, cyber-security concerns, and then there's just simply an operations component that comes with a system that isn't being used anymore.”

In addition to security concerns, a credit union running its machine on an unsupported operating system would make it out of compliance with Payment Card Industry standards. Credit unions that are not in compliance with PCI standards become more liable for any fraud or theft that occurs on the ATM. If the PCI Security Standards Council, made up of payment providers such as MasterCard and Visa, finds that a credit union is not in compliance, the credit union may be fined thousands of dollars per month. A credit union can remain in compliance with PCI standards even it will not meet the April deadline, if it puts in place a compensating control system while it is working toward a Windows 7 upgrade.

Though credit unions and other ATM operators have been working to shift their ATMs to Windows 7 in order to keep up with industry and security standards, the updated software requires more sophisticated machines. For many, it has been an expensive and arduous process that involves replacing some ATMs entirely and updating the components in thousands of others, costing some institutions thousands of dollars per machine.

If you are unsure what the system specifications are for your credit union’s ATM machines, you should reach out to your ATM vendor or service provider as soon as possible. (More information about what this means for your operating systems can be found at Microsoft’s Windows XP end of support page.)

NCUA suggests those credit unions that may be unable to switch their ATMs from Windows XP before April 8 should try to adopt a sound risk-management process that includes:

• Identifying and assessing risks associated with the continued use of XP;
• Working closely with third-party technology service providers to migrate from Windows XP;
• Conducting analysis on applications using Windows XP to safeguard operational processes;
• Isolating XP devices from the network; and
• Reporting to senior management to ensure all risks are addressed.

As credit unions rush to transition their ATM software securely to Windows 7 before warmer spring weather sets in – they continue to deal with what seems like a never ending stream of regulatory “polar vortexes.”