RBI has also said that the banks that fail to comply with the deadlines will automatically invite appropriate supervisory enforcement action under applicable provisions of the Banking Regulation Act, 1949 and/or Payment and Settlement Systems Act, 2007.
The Reserve Bank of India has made it mandatory for all banks operating in the country – both public and private – to shift from the Windows XP platform on their ATMs by June 2019. The missive from the RBI, as per its circular dated June 21, comes exactly four years after Microsoft announced in 2014 that all the versions of the venerable Windows XP build are deemed discontinued.
While this meant that the Redmond-headquartered giant would no longer push out any security updates or patches to the operating systems, more than half of the country’s banks did not migrate from Windows XP on their ATMs, rendering them vulnerable to potential cyber threats.
The circular issued by the apex bank regulatory body outlines the vulnerability ‘arising from the banks’ ATMs operating on unsupported version of operating system and non-implementation of other security measures’. It thereby reminds the banks to refer to a confidential memorandum that was sent to them in April last year. In addition to the mandate on OS upgrade, the banks have been informed by RBI to implement other security measures such as overhauling BIOS password for all the ATMs, disabling USB ports, and applying the ‘latest patches of operating system’ among others.
The ATMs that are still running Windows XP or other unsupported versions of the operating system must be upgraded to the latest OS counterpart in a phased manner. While September 2018 has been set as the deadline for at least 25 per cent of ATMs to be upgraded, 50 per cent of them needs to run the latest version by December 2018. The entire line of ATMs operating in India must be updated to the newest version by June 2019.
In the purview, RBI has also said that the banks that fail to comply with the deadlines will automatically invite appropriate supervisory enforcement action under applicable provisions of the Banking Regulation Act, 1949 and/or Payment and Settlement Systems Act, 2007. “As the implementation of the foregoing control measures would also require field visit(s) to the ATMs, banks should plan and implement these measures in an optimal manner,” the regulatory body said in a statement.