The Reserve Bank of India (RBI), the country's s central banking authority, told local banks to update all ATMs still running Windows XP to a newer operating system by June 2019, or face regulatory sanctions.
This order is part of a notification RBI officials sent to Indian banks on Thursday, June 21. The notification provides a detailed timeline and deadlines for upgrading the country's ATM network.
Banks have two months at their disposal, until August 2018, to implement basic security features for ATMs, such as setting a BIOS password, disabling USB ports, disabling the OS auto-run facility, applying the latest OS security patches, setting up a time-based admin access calendar, and more.
Anti-skimming measures are to be implemented by March 2019, according to a copy of the notification obtained by Bleeping Computer.
Of all the proposed security measures, the one that's going to cause the biggest headaches is the one that mandates that all banks use a supported OS for their ATMs.
Currently, most ATMs across India (and all over the world) run Windows XP, an operating system that Microsoft retired in 2014. RBI wants banks to move to a newer, "supported OS" by June 2019.
Indian banks must have a quarter of their ATMs running a modern OS by September this year, a half by December, three-quarters by March next year, and all ATMs by June 2019.
"The slow progress on the part of the banks in addressing these issues has been viewed seriously by the RBI," RBI wrote in its notification.
"In order to address these issues in a time-bound manner, banks and White-Label ATM Operators are advised to initiate immediate action in this regard and implement the following control measures as per the prescribed timelines:"
|Sr. No.||Control Measures for the ATMs||To be completed by|
|a.||Implement security measures such as BIOS password, disabling USB ports, disabling auto-run facility, applying the latest patches of operating system and other softwares, terminal security solution, time-based admin access, etc.||August 2018|
|b.||Implement anti-skimming and whitelisting solution.||March 2019|
|c.||Upgrade all the ATMs with supported versions of operating system. Such upgrades shall be carried out in a phased manner to ensure that in respect of the existing ATMs running on unsupported versions of operating system,|
|i. Not less than 25% of them shall be upgraded by||September 2018|
|ii. Not less than 50% of them shall be upgraded by||December 2018|
|iii. Not less than 75% of them shall be upgraded by||March 2019|
|iv. All of them shall be upgraded by||June 2019|
An RBI spokesperson declined to comment for this story, deferring to the notification.
The move is an important one. Banks will have to invest serious funds in updating their ATM networks in the coming months.
The RBI's decision didn't come out of the blue either. Officials first warned Indian banks to move away from XP, back in 2014, three weeks before the Windows XP OS was supposed to go end-of-life.
New warnings were sent out in March and September 2017 after several Indian banks suffered from ATM-related security incidents in 2016.