Banks to pay Microsoft millions to keep cash machines running Windows XP

News 17 Mar, 2014

April deadline looms large but 95 per cent of all ATMs still run the ancient OS.

Banks around the world are set to stump up millions of pounds to Microsoft in a bid to keep their cash machines running after support for the venerable operating system runs out in April.

According to reports by Reuters, only a third of cash machines running will have upgraded to Windows 7 by the April deadline. There are around 2.2 million machines worldwide and currently 95 per cent of them run XP.

The move to buy support will cost millions as the banks look for ways to protect the machines from hackers and malware.

Sridhar Athreya, London-based head of financial services advisory at technology firm SunGard Consulting told Reuters that for British banks alone, the cost of extending support for Windows XP would be around £50 to £60 million.

It is said that five of the UK's largest banks; Lloyds Banking Group, RBS, HSBC, Barclays and Santander UK, have arranged or are in the process of arranging extended support for Windows XP from Microsoft.

"There are certainly large enterprise customers who haven't finished their migrations yet and are purchasing custom support," a spokesman for Microsoft told a Reuters reporter.

The PCI Council, which oversees security standards for the card payments industry, has warned financial firms that they must upgrade old operating systems as soon as possible.

"Don't make yourself an easy target, talk to your technology provider today and make sure your PC and systems are not putting your customers' confidential payment card data and your business at risk," the organisation warned.

Professor John Walker, director of CSIRT and Cyber Forensics at Integral Assurance said that its not the cost of the software, "but the cost of doing it that drives the need 'not-to-do'.

"In many cases they pay a fortune just to run virtual systems, as the legacy issues are so great, they can be massive in cost. However, whilst you can run from the upgrade in the short term, you must hit that wall of facing up to it one day. Its just putting off what you should do today until tomorrow."

Walker said that it raised questions over keeping aligned with PCI-DSS.

"How do such organisations can get away with it, in so many places, and for so long. I expect this is the case of, when is a 'Standard' not a standard - answer, when its called 'PCI'," he added.

Vincent Nola, interim head of financial services at Musgrave Retail Partners said the upgrade of a critical operating system is not looked at as revenue enhancing "but just a cost, so the incumbent directors who are responsible for the infrastructure push the problem down the road and then it is somebody else's problem."

"I find this amazing as retailers are being pushed to become PCI complaint, and rightfully so - look at the Target breach. But the institutions are not addressing their serious legacy issues, which will only get worse over time," he added.

Disqus - noscript

WHY are they upgrading to Win7 - surely they realise that this pattern is going to repeat in another few years time ? Should they not ALL be thinking of investing together into a proprietary "secure" OS whose number 1 priority is security ? I would love to see the cost-benefit/risk analysis on this...

Agree with autoq. Open Source - Crypto.

However, I worked on the now ancient NatWest RBP installation and I can say with a 99.99% certainty that the banks will be way too shortsighted and adopt a devil-may-care attitude to this. £60M to them is a drop in the ocean - especially as it is often money they have inveigled out of the public.

They should move to Linux pronto & avoid getting themselves into this mess again.

Difficult to see what the risk element is here anyway - An ATM shouldn't be browsing untrusted websites or the like, so it shouldn't be exposing itself to hacking.

Agree though that Windows 7 is an unwise move. Linux or BSD would be more sensible.

Read more about: