RBI asks banks to scrap off 20 year old Windows XP from ATMs by June 2019; ATM association CATMi asks for hiking interchage rates

Last Updated: Wed, Jun 27, 2018 20:35 hrs
ATM Cash Out

A circular from RBI, the country's banking and financial regulator, has asked banks to scrap off Windows XP from their ATMs by June 2019.

The Reserve Bank said this notification was drafted after it observed not many banks complying to its previous confidential circulars.

The RBI was also pressed into drafting the circular thanks to the rising flaws and incidents of security breaches at ATMs owing to usage of old Operating Systems. The Reserve Bank issued an ultimatum, asking banks in the country that the ATMs must upgrade their operating systems from Windows XP latest by June 2019. Last year, the RBI had raised concerns about the vulnerability of ATMs running the out-of-support OS.

The RBI had raised concerns since April 8 2014, when news about Microsoft ending support to Windows XP had gone public. Read that story here.

In December last year, reports of ATMs being hacked in Russia by pressing the Shift key five times had spread panic among banking circles. Usually a full screen lock prevents access to components of the ATM OS, but pressing five times the Shift key activated sticky keys, exposing the task bar, Start Menu, and also a way to run malicious software.

Windows XP that turns 20 years, may sound like the perfect garage machine for toddlers, but it certainly cannot be a secure banking ATM. It's been four years that Windows stopped supporting updates for machines operating Windows XP.

A look around, and one would find that machines getting shipped from popular computer manufacturers ship with a genuine Microsoft 8.1 or a 10 version.

The Central Bank in its circular said, "It may be noted that any deficiency in timely and effective compliance with the instructions contained in this Circular may invite appropriate supervisory enforcement action under applicable provisions of the Banking Regulation Act, 1949 and/or Payment and Settlement Systems Act, 2007."

A timeline to upgrade most systems has been posted on the RBI's website. There are deadlines to add/ensure implementation of safety measures such as BIOS password for all ATMs, disabling auto-run facility, disabling USB ports, and applying the latest OS patches.

Additionally, the central bank has also directed banks to implement anti-skimming and whitelisting solutions by March 2019.

The Confederation of ATM industry in India welcomed the move, but proposed that banks should bear the additional expenses on security for all ATMs branded in bank’s name.

According to CATMi, recent compliance-related directives such as the Cash management/logistics, Cassette Swap etc. asks for sizable investments that may account for up to 40% of the cost of ATM machines. The industry association has also sought the RBI to consider the challenges of all stakeholders to ensure compliance to the newly announced measures.

The ATM industry association also made a case for White Label ATMs (WLAs) or ATMs that are owned by private operators and not banks. It called for an increase in the prevailing interchange rate to enable such ATM operators make such sizable investments in future.

K Srinivas, CATMi's spokesperson and the CEO for BTI Payments explained, "WLAs today are on a very weak viability structure as the cost of transactions are way higher vis-à-vis the interchange fee the operators receive. The cost of compliance, especially for WLAs, may put the already-stressed operators into further viability turmoil."

"WLA operators are the only entities deploying ATMs in underpenetrated rural areas. With this additional cost of compliance and cash management costs, future deployments may come to a grinding halt unless interchange is increased on a priority basis," he added.

Lalit Sinha, Director General at CATMi, added, "ATM growth in the country is already at standstill whilst the card issuance continues aggressively powered by PMJDY and other Govt initiatives. Banks especially PSBs are in a rapid shut-down spree on ATMs. As a result of these, the debit card to ATM ratio has spiked; meaning there are more ATMs needed to ensure ubiquitous coverage to these new card holders across the country, especially in semi urban and rural areas. These investments, whilst good for the industry as a whole, need to be funded in the form of an increase in the interchange fee paid by the card issuers to the deployers of ATMs, else we will continue to see a lull in expansion of the much needed ATM network in the country."