CUs Eye ATM Upgrade Deadline

The countdown clock has started ticking on the looming end to support for an operating system that powers many ATMs – the latest in a series of ATM-related deadlines for credit unions in recent years – and pros say it’s time to start getting ready.

On Jan. 14, 2020, Microsoft will stop providing technical assistance and automatic updates for Windows 7, meaning that if credit unions don’t move ATMs to Windows 10 before then, they could become more vulnerable to hackers and malware.

The shift could create a brand new window of opportunity for criminals, according to Keith Eckert, who is a senior technical product manager at JHA Card Processing Solutions.

“If somebody gained physical access to an ATM, they could insert malware into Windows 7,” he explained. “Windows 7 will not receive a security update that might take care of that threat or that malware that was inserted. The malware would continue to reside on the ATM and is a potential threat.”

Andrew Oasen, who is ATM product manager at FIS Payments, said the primary benefits of Windows 10 are indeed security-based.

“We have all seen a heavy increase in attacks on the ATM channel. Specifically and historically, we heard of skimming and things like that – more physical type of attacks. But now what we’ve seen is a large increase in malware and logical-type attacks. These attacks are quite dramatic internationally, but in recent years they have also become more common in the United States as well.”

Even though the end of assistance and updates for Windows 7 is still more than a year away, credit unions should start preparing now, warned Steve Glide, who is director of global product marketing at the Holly Springs, N.C.-based Paragon Application Systems, which tests software for financial services companies.

“If you don’t have your strategy outlined and well in hand to execute as we come out of the holiday season in early 2019, you’re in trouble,” he said. “Remember that the January date is also on the backside of a holiday season, and so most organizations will go into a freeze sometime in November … so if I were planning this, I would say for the sake of discussion that I would want myself to be done absolutely no later than Sept. 1, 2019.”

Credit unions should make room for a long process, Oasen said. They will need to work with their ATM vendors on upgrades, and they’ll likely have to confirm with their processors that they are ready to support the software versions required to support Windows 10.

This isn’t the first time credit unions have dealt with operating system upgrades in their ATMs. Not long ago, there was a shift to Windows 7 after support for Windows XP ended.

But there’s a twist this time, Eckert noted.

“When we went to Windows 7, EMV was not involved. With Windows 10, EMV is involved and as the ATM manufacturers have certified their ATM software to run with a Windows 10 operating system, they’ve also had to update their EMV kernels. Which then means to the service and processing industry, we not only need to certify Windows 10, but in many cases we need to recertify for EMV as well,” he explained.

“EMVCo provides approval letters for the manufacturers’ EMV kernels on the ATMs,” Eckert continued. “Those approval letters expire in a certain period of time, and the ATM manufacturers in some cases are taking this opportunity to update their EMV kernel and their approval letter, which requires us to certify.”

And like other upgrade processes, some credit unions may feel like they’re being told to hurry up and wait.

“When Windows 7 certification was being performed, there were ATM upgrades required and there was a backlog of hardware. There was also a backlog of service personnel to go out and upgrade these ATMs. That’ll be a challenge,” Eckert said. “The sooner the credit unions get on top of that and understand their ATMs and their situation, they can potentially schedule with their service provider to do something sooner than later.”

Then there’s the matter of the budget. Upgrading some machines might not be cost-effective, which could mean replacement; other machines might already be ready for Windows 10, Oasen cautioned. And others might need something in between, such as CPU or memory upgrades. Perhaps 10% of ATMs will need replacing, he guessed.

Credit unions with old or outdated ATMs will likely pay more to upgrade their operating systems, Eckert added.

“What credit unions can do is know their ATMs, get their service provider out to the ATM as soon as they can and understand what hardware updates might need to be made to those ATMs. It could be minimal or none; it could extend to a new processor or additional memory in order to run Windows 10,” he said. “The sooner they understand that and the cost associated with it, the sooner they can get prepared for the Windows 10 upgrade when their service provider has completed certification.”

Maintenance contracts might shift some of the transition work to vendors or third parties, but credit unions will likely still have a lot to do.

“The issue is going to be, how do I test it? How do I upgrade it in the field? Who do I pay to do that? In some cases you may be able to just download the software remotely,” Glide noted.

“Some folks will have to actually touch their ATMs, which is always an expensive process. If you can avoid having to physically touch the ATM, you’re going to be way ahead of the game.”

As mentioned, January 2020 isn’t the first deadline credit union ATM operators have had to grapple with. In 2012, many ATMs needed overhauls after new standards in the Americans with Disabilities Act took effect. As noted, in 2014, support for Windows XP ended, forcing a wave of upgrades. One of the latest is the EMV liability shift.

Those are on top of a near-constant stream of new ATM technology advertising everything from face recognition to bill pay and holograms.

It may be tiring and expensive to keep up, but members don’t really care about upgrade fatigue and neither do regulators, Glide cautioned. Both have little patience for financial institutions that procrastinate on security.

“I think that you run a significant risk to your brand. You run a significant risk to losing customers to competitors and other entities, and you even run the risk of legal and regulatory intervention if you’re not careful in some of these cases,” he said.

“I would rather be able to say to folks that I did everything I could do: I started earlier, I planned early, I got this done. Even if [you] have hiccups, you’ll be in better shape than if someone says, ‘Well, I left it till the last minute and that’s why I had a data breach.’ Nobody’s going to look kindly or favorably on that scenario.”