It may come as a surprise to learn that the vast majority of the world’s ATMs run on Windows XP. However, by now many people are aware that on April 8th 75% of the nation’s ATM machines will be running on an operating system that is no longer maintained by its creator. Only 38% of banks that responded to an ATMIA global survey in September 2013 indicated that they intended to upgrade (to Windows 7 or equivalent) by April 8th this year; however, according to ATM Marketplace, only 15% of the world’s 95% of ATMs that run on XP will have actually been upgraded by April. Don’t be alarmed though, your money is reasonably safe.
The good news is that there are alternatives to upgrading the XP operating system. There are 3rd party products available to secure ATMs from the risks of an unsupported XP platform. For example, Wincor Nixdorf is touting their PCE/E Terminal Security Software as a wrapper around XP or Windows 7 – providing access and intrusion protection as well as hard disk encryption.
Even though there are “band-aide” solutions, the overarching strategy for banks running XP needs to include the inevitable Windows 7 upgrade – and, I believe most banks and credit unions will make this change in 2014. In fact at least one institution, US Bank, has already upgraded their entire fleet of ATMs to run on Windows 7.
So what happens on April 8th to those that will not yet have made the change? Well, probably not too much immediately – there is unlikely to be a cadre of “bad guys” counting down the minutes until midnight in order to plunder our accounts via the ATM interface. Some banks will pay Microsoft to extend the maintenance window; however, this will likely be for an abbreviated period of time since extending maintenance can become an expensive business. For those that do not elect for extended maintenance, there will be an escalated risk of malware and security beaches. All that said, this is not another Y2K event, and we will still be able to extract our cash on April 9th without having to step into a branch. Keeping in mind, of course, that all the normal ATM best practices will apply i.e., carefully shield your PIN, check the card slot has not been tampered with, etc.
So why are banks behind the ball on this impending change? Simply put, the constraints to comply and upgrade are driven by cost, time and resource limitations as well as competing bank priorities. So, beyond the apparent lack of foresight by banks in planning for this upgrade, is the ATM channel and its outdated architecture still relevant? Arguably no. Banks continue to invest heavily in mobile banking in addition to improving branch experiences. We receive personalized offers for our credit cards and messages on our mobile devices to warn of potential fraud. We can ‘mobile deposit’ a check without leaving the couch. The humble ATM, however, has not really kept up with the overall level of banking innovation. In 2014 I would like to be able to interact with an ATM the same way that I do with my smart-phone or with the same level of service that a teller provides.
The primary purpose of an ATM machine is and always has been to dispense cash, normally limited to around $200 a day. For that reason end-user security is less tight than it is for online banking where a combination of IDs, randomly generated numbers and passwords are required to verify access. That being said, most people would find the typical smartphone level of security overbearing in order to withdraw $60 from their checking accounts. The other reason for the lack of sophistication at the ATM, in terms of services, is that they are designed to provide a rapid, efficient service; the channel is not designed to deposit checks, move funds between accounts, or pay bills. At least not when the ATM in question is a single machine in the wall outside the bank, in a mall, or at the train station.
All that said, there is innovation in the ATM channel – it’s just painfully slow compared to other areas of bank innovation. The ATM remains relevant, in fact, for many customers it remains the primary interface with their bank because not everyone wants to bank online or via a smartphone.
In part two of this post I will address how banks can continue to raise the customer experience bar by embracing ATM innovation.