At the time I posted my recent blog about finding a New York City Transit MetroCard vending machine running Windows NT 4 Service Pack 3 I contacted the MTA (Metropolitan Transit Authority) to ask them about it. I received a response from Paul Fleuranges, vice president of Corporate Communications, MTA NYC Transit:

Assuring the security of the MetroCard system is a multi-layered effort
encompassing technical solutions and procedures aimed at preventing
unauthorized access and detecting unauthorized activities during the
course of normal operations. The activity of the system is monitored for
unusual behavior at many points in the operation. Procedures are in
place to quickly respond to unusual occurrences in ways that not only
limit risk, but can lead to immediate remedial action.

NYC Transit is in the process of completing an extensive effort to
become compliance [sic] with Payment Card Industry (PCI) rules relating to
credit/debit transactions. While directly related to the business of
accepting bank cards, these rules have also helped NYCT further harden
its automated fare collection system against potential unauthorized
access to sensitive transaction information by hackers and employees.

In regards to your security related questions, which we will not address
here in any detail, it is safe to say network environment is constructed
in such a way that the serious security implications and vulnerabilities
you reference do not exist.

The reference to PCI compliance is interesting. Seeing as how Requirement 6 of the PCI DSS states that you must "Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release" I would think they can't possibly be compliant running NT 4 SP3, and that they must have a goal of upgrading these systems. That's good news.