Microsoft is ending standard Windows 7 support on Jan. 14, 2020, which will affect billions of computers, including millions of ATMs worldwide.
Credit unions that choose not to migrate their ATMs could face security, compliance, and operational issues.
David McCrary, Executive Vice President, Cardtronics
Microsoft has released nearly a thousand security patches for its Windows 7-based operating system since the software giant made that its standard platform in 2009. The system drives millions of ATMs around the world, but on Jan. 14, 2020, Microsoft is ending standard support for the software. The move will affect billions of laptops, desktops, computer networks, and ATMs.
Windows 10, which has been around since 2015, has become ubiquitous in PCs; however, major ATM providers estimate that 90% of the 190,000 or so ATMs in the United States are still on Windows 7. Here’s a look at what’s coming next, from the perspective of ATM manufacturers, a major systems outsourcer, and a consultant.
To Migrate Or Not To Migrate?
David McCrary is executive vice president for Cardtronics, a Texas-based provider of managed ATM services to more than 2,000 financial institutions worldwide, including 700 credit unions. He says credit unions do not have to migrate to Windows 10 and should consider the pros and cons from both the operational and cost perspective.
If a credit union doesn’t migrate, however, keeping its ATMs secure will become more difficult and expensive once Microsoft stops issuing security patches. Plus, McCrary says, there’s the risk of not being compatible with new software from major equipment manufacturers, such as NCR, Diebold Nixdorf, and Hyosung.
Brent Gamble, Senior Product Manager, Diebold Nixdorf
“Any additional security risk is low with a properly hardened ATM software configuration,” McCrary says.
Brent Gamble, the senior product manager at Ohio-based Diebold Nixdorf, has a different take.
“In order to maintain compliance, there’s not an exception to this upgrade,” he says.
Microsoft says it will offer extended security updates for those unable to meet the January cutoff and willing to pay its fees, but Gamble calls that a stopgap measure.
“That does not provide all the customer and security benefits from completing a Windows 10 migration,” he says.
For credit unions that have a solid plan in place, with capable resources and the right tools, this is just one more big project.
Consequences And Payoffs
Beyond adhering to the data protection rules established by state and federal regulators, there’s another big compliance issue credit unions must consider before deciding to forgo a conversion.
The major card brands require issuers and those that accept credit cards to adhere to the Payment Card Industry Data Security Standard (PCI DSS), which includes this May 2018 update titled PCI DSS 3.2.1, Requirement 6.2: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.”
Steve Gilde, Director of Product Marketing, Paragon Application Systems
So, what happens to those who run afoul of these rules?
“Any credit union running an unsupported version of the Windows 7 operating system on their ATMs will not be able to achieve or maintain PCI compliance,” says Steve Gilde, director of product marketing for Paragon Application Systems, a North Carolina-based provider of testing tools and services to more than 25 credit unions. “This could result in fines, network penalties, or even loss of access to certain payment systems.”
Derek Henderson, product manager and subject matter expert at Georgia-based NCR, says that, in addition to compliance and security issues, business impacts could include lack of access to new capabilities, including contactless and card-less transaction support.
On the upside, credit unions that do upgrade can take advantage of current and future opportunities that come with Windows 10.
“While planning for the Windows 10 migration, credit unions have the opportunity to review their ATM channel holistically and not only tackle current challenges but also plan for future changes, such as security considerations and other features and functionalities,” says McCrary at Cardtronics.
An Issue Of Hardware? Or Software?
Migration is both a hardware and a software issue, says Gilde at Paragon Application Systems.
“Depending on the age, models, and makes of its ATMs, a credit union might need to upgrade some or all of its hardware before it can upgrade the software,” Gilde says.
McCrary at Cardtronics agrees.
“From a migration perspective, the biggest challenge for Windows 10 is ensuring the hardware at the ATM is able to support the conversion,” he says.
According to McCrary, who serves as Cardtronics’ general manager for its U.S. products, machine age, hardware components, and residual book value should all be part of the value equation. However, the costs don’t stop there.
“Credit unions should also consider other disruptions and costs associated with the migration, including the cost to deploy Windows 10, disruptions to their branch operations and members, and the cost of regression testing,” McCrary says.
This might seem dauting, but credit unions won’t be in totally unfamiliar territory.
According to Gilde, the migration itself will be similar to the move from XP to 7. Microsoft officially ended XP support in April 2014, and most credit unions converted in the two years leading up to that date, he says.
“Some credit unions handled that migration quite well and others didn’t,” Gilde says. “For credit unions that have a solid plan in place, with capable resources and the right tools, this is just one more big project.”
Gamble at Diebold Nixdorf, meanwhile, says that unlike the cutoff from Windows XP to Windows 7 a decade ago, his company has been selling Windows 10-capable hardware for years. That, he says, reduces the overall volume of ATMs that need a hardware upgrade.
The ability to upgrade operating systems by reimaging terminals remotely also has advanced since that last conversion, making the process faster and more seamless. But that’s no reason to wait.
“One of the larger problems with the Windows 7 migration also was that customers waited until the last minute to place an order and were disappointed by the queue of installations that were placed before them,” says Diebold Nixdorf’s Gamble.
Read more about the changes to Windows in "Farewell Windows 7. Hello Windows 10.."
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.