Some financial services companies are looking to migrate their ATM fleets from Windows to Linux in a bid to have better control over hardware and software upgrade cycles.
Pushing them in that direction apparently is Microsoft's decision to end support for Windows XP on April 8, said David Tente, executive director, USA, of the ATM Industry Association (ATMIA).
"There is some heartburn in the industry" over Microsoft's end-of-support decision, Tente said.
ATM operators would like to be able to synchronize their hardware and software upgrade cycles. But that's hard to do with Microsoft dictating the software upgrade timetable. As a result, "some are looking at the possibility of using a non-Microsoft operating system to synch up their hardware and software upgrades," Tente said.
Windows XP currently powers nearly 95% of ATMs around the world. When Microsoft pulls the plug on support for the operating system on April 8, ATM operators who have not upgraded will essentially be running their systems on an obsolete operating system with no technical support from Microsoft
More than 60% of the more than 400,000 ATMs in the U.S. are expected to be on Windows XP past the April 8 deadline.
Microsoft has said that such systems should be considered unprotected and has urged XP users to move to a newer version of Windows as soon as possible.
The Payment Card Industry Security Standards Council (PCI SSC), which is responsible for overseeing security standards in the payments industry, has already noted that ATMs still on Windows XP after April 8 will need to have certain compensating controls in place to be considered PCI compliant.
Many have already moved, or are in the process of moving, to Windows 7, the next available Windows upgrade for ATM systems. But others are considering Linux as an alternative, Tente said.
Before turning to Windows XP, a majority of ATMs ran IBM's OS/2 operating system.
A new ATM can cost anywhere from $15,000 to $60,000 and operators typically like to have at least a seven- to 10-year lifecycle for each one. In some cases, ATMs remain in place for 10 to 15 years, Tente said.
For many ATM owners, moving to Windows 7 will require hardware upgrades that add to the overall cost of the migration. On top of that, ATM owners will also have to spend more on enabling their systems for Europay Mastercard Visa (EMV) smartcard standards, he said.
ATM owners "have had to deal with PCI compliance. They had to go through [Americans with Disabilities Act] compliance and now they are looking at both EMV and a Windows upgrade," he said.
Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), said that almost 30% of installed point of sale systems at convenience stores and petroleum retailers already are Linux-based.
"It makes sense to move to a bespoke, but open, platform like Linux -- even from a data security sense," Taylor said. "Microsoft's Achilles heel is data security."
Windows XP and embedded XP has been the cornerstone of Microsoft's presence in the retail sector during the past several years, he said. The embedded version especially allowed operation on very low-level hardware.
"If I were Microsoft, I would have kept XP embedded alive for a few more years, and charged an escalating support fee" for it, he said. "That said, Microsoft has to serve shareholders and continually investing in a dead OS does not make sense."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.