What do you mean I am not PCI compliant?

According to Bloomberg BusinessWeek, 95% of the 420,000 ATMs in the USA are running Windows XP. That’s a lot of ATMs that are being affected by the Microsoft announcement to end support for Windows XP on April 8, 2014. Without Microsoft’s support, which includes security patches, bug fixes, driver updates and more, ATM networks operating Windows XP will fail to be PCI compliant – a risk that could result in audit failures, ATMs open to cyber-attacks and possible fines.

In speaking with many Bank and Credit Union customers that own and operate ATMs running on Windows XP, it has become evident that most have not been applying Microsoft updates to ensure current PCI compliance anyhow. This is due mainly to internal policies not being in place or not having the knowledge and resources to handle such update programs. As you may know, Microsoft sends out alerts once every month to inform Microsoft Windows XP users via the internet or emails of any updates available for download. Some of these updates are optional and may not apply to your specific systems while others are considered critical.

As ATMs are not typically connected to public domains and are not set up with email, they do not have the luxury of automated alerts to help manage these required updates and they do require more hands on proactivity to ensure updates are applied to the ATMs. Some ATM owners have IT staff within their financial institutions to handle this while others may outsource this service to IT professionals. Absolute Financial has decided to take an active role in coming up with a solution whereas the ATM vendor can offer this service in cases where the financial institution does not have an IT person or company to turn to.

Upgrading your hardware and software is the first step to ensuring that your ATMs are PCI compliant. PCI compliance is not a one-time fix that is good for the life of your ATM. PCI compliance is fluid and always changing, needing updates to software, firmware, BIOs, drivers and so on. It can be a very frustrating process to ensure your ATMs REMAIN PCI compliant. Even though ATMs are not typically on the public domain and are behind your existing firewalls, the risk is still there and the compliance concern is still relevant.

In addition to upgrading your ATMs for PCI compliance this may be a perfect opportunity to deliver richer experiences to your customers, such as two-way video and check imaging for deposit automation or perhaps custom screens for marketing. There are a number of features on ATMs today that did not exist on ATMs years ago, features such as voice guidance and large color touch screens.

The migration to Windows 7 is just one of the upcoming changes that will affect the ATM industry. As you upgrade your ATMs for Windows 7 or as you develop a strategy this year to make it happen, this would also be a good time to consider other updates that can be handled at the same time to maximize your return on investment. Some of these considerations may be to address EMV compliance in preparation of liability shifts from MasterCard, VISA and others in the next couple of years or so. If you haven’t taken care of ADA compliance at your ATMs, this would be a good time to address both at the same time to reduce labor costs.

The ATM industry will indeed have many more changes in years to come but none as large as 3DES, ADA and the software operating systems shift. As threat levels increase with hackers and other criminals, so does the need to counter with updates to your software and hardware.

Now is the time to take action. Start working on your strategy for moving your computers and ATMs off of Windows XP and over to Windows 7. Analyze your vendor support for these devices for upgrading to the newer OS and evaluate how you will update your endpoints. Moving to a newer operating system will help you provide a more secure environment for your customers, members and other ATM or card account holders as well as ensure you are in compliance with the Payment Card Industry (PCI).

Please call me for any questions you may have or assistance in evaluating your needs.

Carl B. Schriber
Vice President
Absolute Financial Services, Inc.
2251 Destiny Way, Unit #2
Odessa, FL 33556
PH: (727) 753-0233
Email: carl@afsiatms.com
Website: www.afsiatms.com

Leave a Comment