RBI directs all banks to upgrade ATMs that are still running on Windows XP by June 2019

Reserve Bank of India (RBI) has issued a notice to the nation’s banks to uninstall the Microsoft XP operating system from all ATMs and upgrade them by June 2019.

For those unaware, in April 2014, Microsoft had announced that it is discontinuing versions of the Windows XP build. Since then, the company has not rolled out any security patches nor has announced any new features for Windows XP.

In April 2017, the RBI through a “confidential circular” to banks had emphasized concerns about ATMs running on Windows XP and other vulnerable operating systems.

“A reference is also invited to our confidential Advisory No. 3/2017 dated March 06, 2017 and No. 13/2017 dated November 1, 2017 wherein the banks were advised to put in place, with immediate effect, suitable controls enumerated in the illustrative list of controls,” RBI said in a confidential circular to banks about ATMs running on Windows XP and other unsupported operating systems.

Despite sending advisories to the banks in the past instructing them to put migration plans in place, things have not moved fast enough for the RBI.

“The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI,” the notice said.

The circular issued by the central bank also highlights the “vulnerability arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures, could potentially affect the interests of the banks’ customers adversely, apart from such occurrences, if any, impinging on the image of the bank.”

The central bank has warned that it would take regulatory action against banks who do not comply with the order.

“It may be noted that any deficiency in timely and effective compliance with the instructions contained in this Circular may invite appropriate supervisory enforcement action under applicable provisions of the Banking Regulation Act, 1949 and/or Payment and Settlement Systems Act, 2007,” RBI said.

RBI has given banks and “white-label ATM operators” deadline to address all issues and carry out upgrades in a phased manner. It wants at least 25% of the ATMs to be upgraded by September 2018, while 50% of the systems must be updated by December 2018. All ATMs with supported version of operating system should be upgraded to the newest version by June 2019.

Besides directing the banks to upgrade their ATMs, the RBI has also asked them to implement other security measures such BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc. by August.

In addition, RBI has directed banks to implement anti-skimming and whitelisting solutions on ATMs so that only approved software can run on them. The deadline to implement these is March 2019.

RBI has instructed banks to file their compliance plans by the end of July 2018. “The progress made in implementation of these measure should be closely monitored to ensure meeting the prescribed timelines,” the circular added.