We have had quite a few questions from banker's lately asking about ATM and Windows 7 compliance from Microsoft.
ATM Drivers and hardware companies say their networks ARE NOT ready for an upgrade of their OS software on ATMs and the supporting infrastructure. They will not be ready to update ATM Operating Systems by the April deadline.
The interesting mitigation is that in the big picture this isn't much different than what they already do to manage their ATM networks. These ATM PCs are notoriously bad about being updated on a normal patch management structure. It is actually more common for us to find ATM PC's that have never been patched, then for us to find them with a normal patching routine. It is just the way these companies manage their ATM networks. So ATM PCs being behind on patches is most likely no different than usual.
There are other mitigations in place that make these PCs and Operating Systems less susceptible to patching vulnerabilities, including the lack of internet access, network segmenting and a highly specialized and augmented version of Windows OS to begin with.
As far as how this affects vendor management and your compliance efforts, I would try to get a more formalized response from your vendors on their plan to update the ATM OS and an estimated time frame. In the interim, you can express this in vendor management risk assessments to raise the risk exposure and non-compliance however make it still an acceptable risk to the bank.
Good luck, and if you want us to do that Vendor Management risk assessment stuff for you, give that Nik Prosser guy a hollar - Nik@GarlandHeart.com