Windows 10 Deadline Looms; Another Deadline for CUs

The clock has started ticking on the looming end to support for an operating system that powers many ATMs — adding to a series of ATM-related deadlines that credit unions have had to deal with in recent years — and pros say credit unions need to start getting ready.

On January 14, 2020, Microsoft will stop providing technical assistance and automatic updates for Windows 7, meaning that credit unions whose ATMs don’t move to Windows 10 before then could become more vulnerable to hackers and malware.

Even though the deadline is still about a year and a half away, credit unions should start preparing now, warned Steve Glide, who is director of global product marketing[TO4]  at Holly Springs, North Carolina-based Paragon Application Systems, which tests software for financial services companies.

“If you don’t have your strategy outlined and well in hand to execute as we come out of holiday season in early 2019, you’re in trouble,” he said. “Remember that the January date is also on the backside of a holiday season, and so most organizations will go into a freeze sometime in November…so if I were planning this, I would say for the sake of discussion that I would want myself to be done absolutely no later than September 1, 2019.”

Credit unions should make room for a long process, said Andrew Oasen, who is ATM product manager at FIS Payments. They will need to work with their ATM vendors on upgrades, and they’ll likely have to confirm with their processors that they are ready to support the software versions required to support Windows 10.

Credit unions will also need time to evaluate their fleets carefully, he noted. Upgrading some machines might not be cost-effective, which could mean replacement; other machines might already be ready for Windows 10. And others might need something in between, such as CPU or memory upgrades. Perhaps 10% of ATMs will need replacing, Oasen guessed.

“The primary benefit of Windows 10 is really more security-based,” he added. “We have all seen a heavy increase in attacks on the ATM channel. Specifically and historically, we heard of skimming and things like that — more physical type of attacks. But now what we’ve seen [is] a large increase in malware and logical-type attacks. These attacks are quite dramatic internationally, but in recent years they have also become more common in the United States as well.”

Maintenance contracts might shift some of the transition work to vendors or third parties, but credit unions will likely still have a lot to do.

“The issue is going to be, how do I test it? How do I upgrade it in the field? Who do I pay to do that? In some cases you may be able to just download the software remotely,” Glide explained.

“Some folks will have to actually touch their ATMs, which is always an expensive process. If you can avoid having to physically touch the ATM, you’re going to be way ahead of the game.”

The deadline is not the first that credit union ATM operators have had to grapple with. In 2012, for example, many ATMs needed overhauls after new standards in the Americans with Disabilities Act took effect. In 2014, support for Windows XP ended, forcing a wave of upgrades. One of the latest is the EMV liability shift. Those are on top of a near-constant stream of new ATM technology advertising everything from face recognition to bill pay and holograms.

It may be tiring and expensive to keep up, but members don’t really care about upgrade fatigue and neither do regulators, Glide cautioned. Both have little patience for financial institutions that procrastinate on security.

“I think that you run a significant risk to your brand. You run a significant risk to losing customers to competitors and other entities, and you even run risk of legal and regulatory intervention if you’re not careful in some of these cases,” he said.

“I would rather be able to say to folks that I did everything I could do: I started earlier, I planned early, I got this done. Even if [you] have hiccups, you’ll be in better shape than if someone says, ‘Well, I left it till the last minute and that’s why I had a data breach.’ Nobody’s going to look kindly or favorably on that scenario.”