BRITAIN’S banks could face severe financial penalties for breaching data security rules if they do not upgrade the ageing software that runs virtually every cash machine, a US regulator has warned.
Some 95 per cent of the world’s cash machines are powered by Windows XP, an operating system released by Microsoft more than 12 years ago. From April, Microsoft will cut off support for the software.
According to the Federal Financial Institutions Examination Council, a regulator tasked with overseeing standards in the US banking system, this exposes banks to “increased operational risk”. It has told banks they may not be complying with a key security standard if they do not upgrade their systems.
“Financial institutions and technology service providers that are subject to the requirements of the payment card industry data security standard (PCI DSS) and continue to use XP after 8 April 2014 may no longer be compliant,” it said.
PCI DSS is the main standard related to the storage of payment card data, and the UK’s Information Commissioner’s Office (ICO) has the power to fine organisations up to £500,000 if they fail to meet their obligations under the Data Protection Act.
An ICO spokesman said: “Under the Data Protection Act it is the responsibility of organisations, as data controllers, to keep their customers’ personal information secure. This includes ensuring that software and operating systems remain secure throughout their operational lifecycle.”
About 65,000 ATMs in the UK are connected to the Link network. A spokeswoman for the body said: “We would expect that any ATM operators currently using Windows XP are looking at the options and solutions relevant to their situation, and then install them.”
Bank of Scotland has 648 cash machines and a spokeswoman said the lender has “limited operational risks” because its upgrade plans are “already well progressed.”
It is believed that rival Royal Bank of Scotland, including its NatWest and Ulster Bank brands, has 9,500 ATMs still running on XP, but the group has reached a deal with Microsoft that will see the US technology giant continue to support the system for at least three years while it upgrades to Windows 7.
The state-backed lender has suffered a string of IT problems in recent years and chief executive Ross McEwan admitted last month that it had failed to invest properly in its systems “for decades”, after customers were locked out of its online banking and ATM systems on one of the busiest Christmas shopping days.
The Financial Conduct Authority is probing a previous meltdown experienced by RBS in the summer of 2012.
A spokesman for the watchdog, which will be responsible for regulating ATMs after April, said: “We have rules in place to make sure that firms have IT systems that work for their customers and we do act if they fall down.”