Should ATM Operating Systems Float to the Cloud?
Many aspects of modern banking are undergoing a technological revolution, but in the ATM segment, a debate is raging over whether new is actually better.
The controversy centers around whether it's time to move ATM operating systems to the cloud, and like the rest of the $335 billion enterprise software market, competition between cloud and on-premises software providers that make the country's 425,000 ATMs work is heating up.
One of the latest irons in the fire is NCR's Kalpana enterprise software platform. Launched on April 15, the thin-client technology allows users to service ATMs remotely and could reduce the cost of ownership by up to 40%, according to the company.
“We believe that there was really a need for a makeover of the entire ATM architecture to allow, number one, quicker introduction of new services in a way that didn't require us to visit physical ATMs to load new software,” Brian Bailey, vice president of software and branch transformation at NCR, said. “And then the other thing was, we wanted to make sure we were increasing security. This really allows us to do that in a much more protected way, by moving the application logic from the physical device, and the PC core within that device, to the cloud and to the enterprise.”
ATMs typically run on “thick-client” technology, which requires each ATM to have a PC core and an operating system, as well as applications that reside in the machine itself. “Thin-client” devices use mobile- and tablet-based technology, such as NCR's Android operating system, and the applications reside in the cloud.
“We don't have that ongoing cost of constant Windows upgrades that have become a real problem for the industry,” Bailey added. Microsoft ended support of Windows XP – which still runs on the vast majority of the nation's ATMs – on April 8, 2014, though it will continue to supply its Malicious Software Removal Tool until July 14 of this year.
Cloud-based operating systems like Kalpana could also prevent certain kinds of fraud, Bailey said.
“With no more PC core and a thin-client operating system, there are no more points of compromise,” he added.
But Aravinda Korala, CEO of UK-based ATM software maker KAL, said credit unions and other financial institutions should consider pumping the brakes a bit before moving their ATM operating systems to the cloud.
Systems such as NCR's Kalpana are intended to run on private clouds inside the firewalls of financial institutions, but that also means a credit union has to have its own cloud and the necessary hardware, Korala said.
“All of that kind of wonderful scalability stuff that you have with an Amazon Cloud goes away a little bit because you have to do it yourself,” he explained.
And though cloud-based software might mitigate some kinds of fraud, Korala said it might also introduce new risks.
“Here's the thing: If you hack an ATM, you hack one ATM,” he said. “If you hack the cloud, you potentially hack the whole network, right? You’ve got access to 10,000 ATMs. So suddenly the risk levels are higher.”
Internal mistakes also could have bigger consequences, he said.
“You might have 10,000 ATMs across the country connected to your cloud, and you make a little bitty mistake and 10,000 ATMs go down,” he explained. “So you have a different challenge.”
A mistake involving ATMs that run on more traditional software might bring down only 10 machines, he noted.
“You can't be saying, ‘Sorry, my network's gone down and I can't dispense your cash,’” he said. “One of the really nice things about the old fat-client thing is that all the thinking and the work is done at the ATM.”
The thin-client movement goes back several years, Korala noted, and the Windows XP issue did get people talking about whether or not there was a better way.
“I don't think the cloud answers that question, personally, because you still got those XP machines whether you have a cloud or not,” he said. “You still have to operate the XP machine 7 or 8, because if you have an XP machine with the application on the cloud, you still haven't solved your problem, that the XP is vulnerable.”
NCR's move to an Android platform does address getting away from XP, Korala admitted, but questions still remain.
“You have pretty much the same issues about what happens if Android gets hacked and who's going to update that,” he said.
According to the “ATM Future Trends 2015” report by ATM Marketplace and Italian software developer Auriga, it appears the cloud still has a ways to go before it becomes top-of-mind among ATM industry executives.
Only 2% said moving ATMs to virtual private networks (VPNs) will have the greatest impact on the global ATM industry in the next five years, according to the survey; another 4% said it would be more technology and equipment to protect cardholder PINs; and 1% said it would be deployment of more Windows-based ATMs. However, 17% said security/fraud/data breaches are the ATM industry's top threat; another 9% said cost of ownership, 4% said technology advancement and costs, and 2% said lack of innovation.
“I think that the world is not convinced yet that thin client is the answer,” Korala said.