Many banks paying Microsoft big bucks to support Windows XP-based ATMs

Thanks to the fact that the vast majority of ATMs are still using Windows XP, many banks in the US and UK have already extended, or plan to extend, their service contracts with Microsoft beyond April 8th, when the company officially stops supporting the 12 year old operating system.

Reuters reports that the top five UK banks (Lloyds Banking Group , Royal Bank of Scotland, HSBC, Barclays and Santander UK) could pay as much as $100 million each to keep their Windows XP support, combined with the costs to upgrade their ATMs to a more recent version of the OS. Microsoft does offer what it calls "Custom Support" for large business that includes updates for legacy programs.

In the US, JPMorgan claims they will start updating their ATMs from XP to Windows 7 in July, with the goal of completing the process by the end of 2014. A spokesperson would not say how much it is paying Microsoft for its extended contract. Other groups, such as Bank of America and Citigroup, also declined to state how much they will pay Microsoft to keep supporting XP while they upgrade their ATMs.

It's becoming clear that even though Microsoft warned support for XP would be ending for years, many large businesses did not heed the alerts and will now have to pay a lot more money due to their procrastination.

Source: Reuters | ATM Image via Shutterstock

Report a problem with article
Previous Story

Nokia: 1 million pre-orders for Nokia X in China ahead of March 25th debut

Next Story

Valve reveals new design for Steam Controller, no touchscreen but many buttons

72 Comments

Commenting is disabled on this article.

Apparently some ATM's aren't running Windows XP Embedded, where support ends in January 2016 according to Microsoft's website: https://www.microsoft.com/wind...-us/product-lifecycles.aspx

Why would a public facing financial machine, like an ATM often exposed to the elements, use a non-embedded OS? Doesn't XP Pro with embedded restrictions have the longer end of life date, January 2016? After 30 years of being a partner, I still find MS licensing baffling sometimes.

those bank should've invest to Raspberry Pi, a lot cheaper and more maintainable without have to pay larges buck to 3rd party OS vendors.

Bank must push the ATM manufacturer to upgrade the OS to Windows 7. I believe it is not difficult. It is much safer for long run. No need to change all the machine. Just OS, maximum the cpu

Not really.

They are not internet enabled and locked down tighter than a virgins ***. If you even plug a keyboard in they will send an alarm and lock up requiring a reimage.

It is truly embedded

>>Many banks paying Microsoft big bucks to support Windows XP-based ATMs

Don't be surprised when these five UK banks and the US banks send you their updated fee schedule for services in the mail to cover the cost of this.

OS/2 will 'keep on going' without updates/support though. I'm interested to know what medium ATMs use to communicate back to main 'servers'.

In many cases, dialup modems.

Something a lot of people don't seem to consider; the hardware in most ATM's is as low as it can get and still be able to run XP (usually XP embedded). These machines would have to be replaced as they just won't run newer versions of Windows.

That would cost a HELL of a lot more than the cost of paying MS for a custom support contract.

I can't see why an upgrade would be so expensive. Surely ATMs are modular. They'd just have to replace the embedded PC card/module. A Raspberry Pi ($35 AUD) could even have enough power to run an ATM, and that such a system would be fairly cheap to develop (definitely under a million). Most of the security checking would be done at the server side, while the devices on the ATMs themselves (ie. card reader, notes dispenser) wouldn't be anything fancy from a mechatronics point of view. A raspi could easily be made to run a touchscreen and webpage over a dialup modem - a Core 2/i3 would be an overkill.

Nope. They're not modular at all. They're custom built single units with dedicated hardware (that employs quite old technology these days because it's tried & tested and completely reliable), that costs thousands per unit.

If they redesigned using latest tech, you're talking hundreds of millions in R&D, software development and so forth. These devices need to be as no fail as possible, and they absolutely HAVE to be completely secure.

They can do it, sure; but why should they? What they have works perfectly fine for their needs, and in most cases, these machines don't even need to be updated.

Cheaper to just pay for a custom support contract than to go through the costs of upgrading.

On an ATM, why would XP require updates if it's working perfectly and not connected to the internet?

I saw an ATM booting NT/2000 not long ago - the exact unit is still there, and many people continue to use it. There hasn't been any issues with security either from what I've heard/seen.

If an ATM allowed users to plugin USB drives and listen to music while they make a transaction then that would be a different story.

If I had the choice, I'd move to Red Hat.

68k said,
If I had the choice, I'd move to Red Hat.

Why? You're stuck in the same boat, paying for the OS, paying for support, and paying (through the nose) if you want support out of it's life cycle, never mind paying to have all this stuff redone from scratch, retraining everybody to work with it, the amount of time such a transition would take, etc etc. Sounds pretty expensive.

What do you think about something open-source like CentOS? Then updates would be free. I'd expect banks to have their own (pro) IT staff to configure it.

68k said,
What do you think about something open-source like CentOS? Then updates would be free. I'd expect banks to have their own (pro) IT staff to configure it.

Always possible sure, but there's still the whole "rebuilding everything from scratch" thing (assuming the hardware works with it, ATM's aren't PC's), that's most likely going to take a good bit of time and money. Their IT staff (at every location) may or may not know an entirely different OS and way of doing things.. that is, more training and/or re-hiring costs, and support on CentOS is not free, just the software itself. Plus of course they still need to make timely updates or they'll wind up in the same boat as they are now.

Cheaper to pay than to create and customize a distro.

Folks these are not home pcs with trivial apps??

These require audits and strong policy support. GPO of Windows provide this

Zeke009, some of the places I worked at were the same. At management and project level you talk about doing such a migration and estimates, but only after actually starting the project will they usually become aware of the implications and complications. This is then what delays it even more.

Same old comments, funny to read, yet so sad. Always the same arguments: it's IT's fault, managers fault, they got plenty of money but want to save it, incorrectly allocated, too lazy to do something about it, etc...
My bet would be that most of you never really worked in the IT of the banking industry and how their IT's are all connected together. And I don't mean in the Helpdesk hearing stories from colleagues, but in the IT at the backend that manages and plans the architecture of the critical systems that connect the entire banking industry worldwide.
Yes, Windows XP is old, yes, they knew for a long time that it would go out of support in April, and yes, there was work being done that started years ago.
Most of you do not realise that switching the OS of a desktop from a banking employee is not the same as switching the OS from an ATM machine, and that this is not solely bound to each banks will to upgrade their ATM's. Same goes for other systems.
Do you really think that they all woke up a few months ago and thought: "Damn, I hear Windows XP will be retired in a few months, let's do something about it."
When they start their migration in July, it doesn't mean that they were sitting on their bums until now. They were already planning and preparing for the past many years. What for you is an insane amount of money to pay for the extended "Custom Support", banks were already planning for it in their budgets. I know of at least two companies that payed this kind of support quite some time to get Windows NT going.
Whilst many companies have it easier to migrate, other companies are a world apart with different concerns and focus. Not everything is as easy as most of your comments make it seem, even when it is known for years that support was going to end.
/My 2 cents & rant over
Have fun taking it apart and throw the same old arguments at me all over again ;-)

Odom said,
... Yes, Windows XP is old, yes, they knew for a long time that it would go out of support in April, and yes, there was work being done that started years ago...

... Do you really think that they all woke up a few months ago and thought: "Damn, I hear Windows XP will be retired in a few months, let's do something about it."
When they start their migration in July, it doesn't mean that they were sitting on their bums until now. They were already planning and preparing for the past many years. ...


I have watched this play out first hand while being one of the targets for the people who would not spend a dime. Because of my experiences, I think the decision makers at these banks were sitting back thinking they would get a pass of some kind.

The ones I experienced, said things like "Microsoft will cave to the pressure.", "They will never do that to us, we're a major customer." and "It can't be that bad, do it with the resources you have. Funding denied." I have also had some people laugh when I said their team would be responsible for paying the extended support costs. Now that it is clear MS won't cave and will charge them, they are begging for help.

Armed with the right business case, IT can get in front of it and get the business moving over a longer period of time and reduce the costs. But it doesn't matter how great your business case is if the other party has NO interest in hearing how you want to spend money on a project that isn't a priority of theirs.

Just a quick note in addition, I don't mean to excuse all the late migrators with my post, but merely to explain that the banking industry, and a couple of others, work differently.

Just switch to red hat linux, that has a really long support period and you can change the kernel yourself if you wanted to make it last longer than having to upgrade once official support ends. The cost would be about the same but the cost isn't the reason why they aren't upgrading, it is the hassle and the chance of their atm's not working properly once upgraded.

torrentthief said,
The cost would be about the same but the cost isn't the reason why they aren't upgrading, it is the hassle and the chance of their atm's not working properly once upgraded.

It's much more likely to run on the same type of OS than a completely different one that'll require a complete rewrite, and you're forgetting the associated costs that'll go with starting from scratch and having to support an entirely different system. (Never mind 7's compatibility with XP is excellent.) Besides, Linux has had breaking changes too between versions of the various things.

techbeck said,
Most ATMs don't even have access to the Internet so no big deal.

The easiest way to hack a computer system is when you have physical access to it, so yeah it is a big deal.

I worked for a credit union. It not nearly the same thing. There are requirements and federal certifications and multiple levels of protection on ATM and not really the same as a normal client system. Banks may be different but a lot of atms should be fine

I would be amazed if the ATM's were on the public internet and accessible to the outside world, would be interesting to know if windows updates are actually installed on ATM's... I never imagined updates would be personally.

The software that runs the ATM's on top of the OS is far FAR more expensive and more difficult to ensure stability than an older OS. Smart move by the banks, nothing wrong with prolonging the OS life in these things while the banks and other industries catch up which takes MONEY - the same money that could be used to hire more people thus help a economy recover.

I don't agree. If upgraded over time in preparation for an OS change the cost should be minimized and the support costs MS is charging would be avoided entirely.

Whoever makes decisions in their IT departments should be fired. XP end of support is not a surprise., and by doing nothing about it, it is costing their companies much more money to put right. No doubt many of them will pass some of this onto customers with increased fees.

McKay said,
I'm sure IT knew and made it well known. But were dismissed.

Maybe. Or they didn't make a good enough case to present to the higher ups, in which case they should still be fired.

Edited by mnl1121, Mar 14 2014, 9:14pm :

You'll be fighting a losing battle. IT departments are always the first to get budget cuts. Because when IT works, which it does most of the time it's invisible to general users.

Try and explain to higher ups with no understanding that you need to upgrade a network for a very high cost, and then pay for users to be retrained. Maybe pay extortionate fees to have custom proprietary software rewritten. All this on a network which to those managers is working perfectly fine.

It is hard, but possible. You just need to present a good enough case, which usually involves how it saves the company money in the long run. Short vs long term company impact.

Or how about they return the favor and fire you.

Throw away something that generates trillions yes freaking trillions of revenue for over a decade with no return on investment and risks god knows what at an expensive price is insane and lacks judgment.

Aye. Executives know one thing. If it works, they're not spending money on it until the cost to maintain exceeds the cost to upgrade. Then they will be like 'how much $$ do I have to throw at this problem to make it go away and how much is the cost to maintain this platform in say 5-10-15 years?'

Smart move by microsoft and dumb move by banks. MS will be pocketing extra cash whilst banks continue to defy security best practice.

Yes, lets hope the banks learn their lesson and move their systems to Linux, so they don't have to depend on the whims of a vendor again.

recursive said,
Yes, lets hope the banks learn their lesson and move their systems to Linux, so they don't have to depend on the whims of a vendor again.

Sure. And spend a heck of a lot more in development and support. Sounds good .

recursive said,
Yes, lets hope the banks learn their lesson and move their systems to Linux, so they don't have to depend on the whims of a vendor again.

Omg why do so many people say switch to Linux? You REALLY want your money handled by an OS that has no dedicated security support? And don't say then just use a support Linux distro like Red Hat because then that would cost just as much as Windows.

Switch to Linux is the most stupid comment I have heard all day regarding this story.

n_K said,
Smart move by microsoft and dumb move by banks. MS will be pocketing extra cash whilst banks continue to defy security best practice.

Banks have the money to upgrade to a better OS, they just lazy and rather pay to extend support.

mnl1121 said,

Omg why do so many people say switch to Linux? You REALLY want your money handled by an OS that has no dedicated security support? And don't say then just use a support Linux distro like Red Hat because then that would cost just as much as Windows.

Switch to Linux is the most stupid comment I have heard all day regarding this story.


You obviously have never heard of red hat linux? they and others offer support. if linux fits the bill then do it. The ISS switched so why would ATMs be any different?

soldier1st said,

You obviously have never heard of red hat linux? they and others offer support. if linux fits the bill then do it. The ISS switched so why would ATMs be any different?

I've never heard of it? lol funny because if you read my comment you'll see that I mentioned it by name. Whether you pay for Windows or pay for Red Hat, it is all the same, cost wise. People today have been saying switch to Linux to get rid of MS and because it is cheaper.

soldier1st said,

You obviously have never heard of red hat linux? they and others offer support. if linux fits the bill then do it. The ISS switched so why would ATMs be any different?

The difference is ISS and ATMs do different things =). I am sure companies weigh the cost of Linux vs Windows vs Macs. ISS sounds like they are more comfortable with Linux than Windows. Banks are more comfortable extending support and updating to Windows 7 it seems =).

soldier1st said,

You obviously have never heard of red hat linux? they and others offer support. if linux fits the bill then do it. The ISS switched so why would ATMs be any different?

It's like you literally just read his first two sentences and were so outraged that you clicked reply without finishing, dooming yourself to look illiterate.

macoman said,

Banks have the money to upgrade to a better OS, they just lazy and rather pay to extend support.

I think there's more to it than that. Businesses and government agencies have a long, well documented history with this issue, and the most common explanation I've come across is budgeting for these expenses.

It's not about the total dollars the company has available to them. They plan expense allowances in advance, and on a regular basis (yearly...?). And each year's budgets are based on variables from the previous year (previous budget vs. actual expenses etc). If ten years go by without this kind of investment, the budget for software purchases 'adapts' (shrinks).

This creates incredible resistance to these types of purchases when they start to become necessary. Suddenly an entity in the company says they need to an additional 100 million dollars allotted to them for the upcoming year to upgrade software. It's the decision makers' *job* to vet that request and make sure it's reasonable, and the validity of the urgency (EVERYBODY believes their requests are top priority, all the time). If it's realistic to leave it out of the budget for the next year, they leave it out.

Multi-year expense planning is one of the most painful things in business, and one of the hardest things to fight for. If you try to save money for a few years in advance as 'buffer' for the expense later, all you end up doing is making it look like your division can get by on a lower operating cost, and the battle is that much more uphill. You need a LOT of decision makers on your side to get something like this done.

recursive said,
Yes, lets hope the banks learn their lesson and move their systems to Linux, so they don't have to depend on the whims of a vendor again.
Until they need to update the distro they select due security patches, right? Linux isn't immune like Apple is, is it? They should also hope they pick one that will be around for a while. Red Hat and SUSE are the choices then, right?

btw: that was sarcasm about Apple being immune.

recursive said,
Yes, lets hope the banks learn their lesson and move their systems to Linux, so they don't have to depend on the whims of a vendor again.

I didn't even mention linux. My thoughts were move to a newer version of windows instead of shelling out for support on old versions...

Do you have ANY iDEA how expensive and time wasting it is to redo all a businesses software where they need to rewrite IE 6 code, security auditing, custom software, etc?

You need 20 techs on site in a war room, charge millions for consultants! Creating documentation and recertifying all the apps is lunacy.

When done you are left with an inferior, immature, and non tested ecosystem, with large support until fixes come in all for no return on investment as win 8 does not offer any benefit over XP for ATMs

Shiny new doesn't make sense for business

mnl1121 said,

Omg why do so many people say switch to Linux? You REALLY want your money handled by an OS that has no dedicated security support? And don't say then just use a support Linux distro like Red Hat because then that would cost just as much as Windows.

Switch to Linux is the most stupid comment I have heard all day regarding this story.

Well a lot of your money is already handled by Linux machines on the back end. Just have a look online and you will see every bank runs Linux somewhere in the system as does pretty much everyone else who has your bank details (Amazon, PayPal, etc)

Not Linux (any distribution), but UNIX - and typically Solaris. Same is true of credit unions - lots of Solaris back there. Same applies to stock exchanges, financial-services companies (including both brokerages and insurers that also sell/manage/package annuities, such as John Hancock) - it's one BIG reason why I have kept current on Solaris. This group was also among the MOST resistant to kicking CDE to the curb.

soldier1st said,

You obviously have never heard of red hat linux? they and others offer support. if linux fits the bill then do it. The ISS switched so why would ATMs be any different?

Thanks to our pal Snowden, the very concept of Open Source is now a non-starter for anyone or anything that needs any kind of security. With Microsoft's OS you know where the buck stops. They guarantee their software and if it breaks you know who to call. With Linux you never really know what's in the libraries, who wrote it or who will take responsibility if it fails. OSS RIP.

Major_Plonquer said,

Thanks to our pal Snowden, the very concept of Open Source is now a non-starter for anyone or anything that needs any kind of security. With Microsoft's OS you know where the buck stops. They guarantee their software and if it breaks you know who to call. With Linux you never really know what's in the libraries, who wrote it or who will take responsibility if it fails. OSS RIP.

I would say it is totally opposite. Microsoft has been shown to do whatever the government wants. You have no idea if there are back doors in the software and you have to take their word it is secure. You get no assurance from Microsoft that their software is stable or secure or that they can even fix problems you have. This is just as true for open source software but at least you can see the code yourself. Build your own binaries should you wish. Do an independent audit. Flag things publicly if you find anything suspicious etc.

Just because Microsoft says their policy is to protect our privacy don't actually believe it. It is just advertising and marketing.

Why doesn't JP Morgan upgrade to Windows 8 (Embedded) and buy themselves even more years of support and not having to upgrade? They will be upgrading to an OS that is nearly 4 years old now. By the time they complete the upgrade it will probably be 5 years old where Windows 8 will be 2-3 years old and with a long road ahead as far as support goes...

Because it's not only the OS they need to upgrade, they need to upgrade the intranet pages or applications as well. Seems cheaper to prolong the support for XP.
I even found in some applications code that checks for Netscape 4 or IE 5.5

WAR-DOG said,
Because it's not only the OS they need to upgrade, they need to upgrade the intranet pages or applications as well. Seems cheaper to prolong the support for XP.
I even found in some applications code that checks for Netscape 4 or IE 5.5

I doubt it is cheaper. If they slowly upgraded their applications leading up to the OS upgrade it should be far cheaper. The support costs MS is charging is quite a bit.

Obry said,
Why doesn't JP Morgan upgrade to Windows 8 (Embedded) and buy themselves even more years of support and not having to upgrade? They will be upgrading to an OS that is nearly 4 years old now. By the time they complete the upgrade it will probably be 5 years old where Windows 8 will be 2-3 years old and with a long road ahead as far as support goes...

Because there is no need to. What they already have works fine.

Why do people at this site not get that? Other sites like maximumpc and ZDNet have XP die hard who do put it on new machines and are royally cynical at MS ending support.

ATMs don't do much so it is not like they go obsolete or software wears out etc

Obry said,
Why doesn't JP Morgan upgrade to Windows 8 (Embedded) and buy themselves even more years of support and not having to upgrade? They will be upgrading to an OS that is nearly 4 years old now. By the time they complete the upgrade it will probably be 5 years old where Windows 8 will be 2-3 years old and with a long road ahead as far as support goes...

I use Win 8 Embedded on the thin clients here at work. Win 2008 Server is on the server. Works great in a one store environment and don't see why it wouldn't work in a huge infrastructure like JP Morgan.

Obry said,
Why doesn't JP Morgan upgrade to Windows 8 (Embedded) and buy themselves even more years of support and not having to upgrade? They will be upgrading to an OS that is nearly 4 years old now. By the time they complete the upgrade it will probably be 5 years old where Windows 8 will be 2-3 years old and with a long road ahead as far as support goes...
Because the testing and adoptation of a new OS for a bank requires quite some time. Also, different architectures within the bank will be affected a need changes.

It's not about "getting" anything. If we had Win XP at my store (Florida,USA) We would not be in proper security compliance to take credit cards. We got the letter last week that the company processing our credit card transactions would not be able to support anyone using XP after a certain date.
http://www.pcicomplianceguide.org/pcifaqs.php
For the home user it doesn't matter. Keep XP for 100 years if you want.

Yes but there is a difference between an XP computer using the internet and XP Embedded on a standalone machine connected to the bank by phone lines.

PCI compliance is a joke and means nothing in the real world, just a lot of box ticking to make people feel good without actually securing anything. I hate hearing "oh but we don't need that for PCIDSS .... "

They should just start paying Microsoft by dropping off old ATMs full of cash. Then they can buy a new Windows 8 ATM with Live Tiles.

Depicus said,
Yes but there is a difference between an XP computer using the internet and XP Embedded on a standalone machine connected to the bank by phone lines.

PCI compliance is a joke and means nothing in the real world, just a lot of box ticking to make people feel good without actually securing anything. I hate hearing "oh but we don't need that for PCIDSS .... "

Your opinion matters: FACT--We still have to be PCI compliant to process credit cards at my business or face huge fines. FACT---Win XP will not be considered a PCI compliant platform in the realm of processing credit cards.

This article is about ATM's and embedded XP so your views on XP are just that, views. Indeed while I don't disagree with you I would like to see these facts where XP is considered not compliant as I've yet to read that in any PCIDSS document I've seen of late.