On the day that Microsoft ends tech support for the Windows XP operating system, research from RBR suggests that hardly any European ATMs have been upgraded to Windows 7.
From today Microsoft will stop rolling out security updates and patches for XP, leaving machines running the 12-year-old operating system more vulnerable to attack.
Yet 89% of ATMs in Europe were still running the OS at the end of 2013 with just 4150 machines - 0.7% of the total - upgraded to Windows 7. Most countries covered in the report - 23 of 33 - have no Windows 7 ATMs at all.
Around 20,000 machines - mostly in the UK and Spain - actually run IBM's OS/2, for which standard support ended in 2006.
The process of upgrading to an alternative such as Windows 7 is both complicated and expensive for ATM operators and many have instead chosen to pay Microsoft for extended XP tech support.
The RBR says that ATMs have a limited and relatively stable software set-up, making locking down the operating system a more practical option than for PCs.
Meanwhile, operators can use techniques such as whitelisting, sandboxing and encryption, along with more conventional technology like firewalls and anti-malware software to mitigate risks. However, it is not clear whether these measures comply with PCI requirements.
Separate research from the US National ATM Council suggests that the vast majority of ATMs operated by non-bank providers at retail locations do not use XP.