Questions on Security and Compliance
Kiosks are treated as part of your digital and built environment, so ADA, privacy, and payment rules apply much like they do to websites, POS, and ATMs.
Are kiosks required to comply with the ADA?
Yes. Public‑facing kiosks used in places of public accommodation or by covered entities are expected to be accessible under the ADA, similar to ATMs, fare machines, and POS devices. Draft U.S. Access Board guidelines explicitly address self‑service transaction machines and are expected to be adopted by DOJ and DOT as enforceable standards.
What accessibility features are required for kiosks?
Requirements include accessible reach ranges, clear floor space, and operable parts that can be used without tight grasping, pinching, or twisting, for both standing and seated users. Functionally, kiosks must provide an equivalent experience for users with disabilities, often via larger targets, high‑contrast visuals, tactile controls, and audio or assistive‑tech support where appropriate.
Does WCAG apply to kiosks?
WCAG was written for web content, but it is increasingly referenced as the usability baseline for kiosk software, especially where Section 508 or federal funding is involved. While the ADA does not name WCAG directly, regulators and courts look to WCAG 2.1 AA principles to judge whether kiosk interfaces are perceivable, operable, and understandable for disabled users.
Is providing staff assistance a substitute for accessibility?
No. Staff assistance can be a backup, but it is not a full substitute for an accessible kiosk experience. DOJ and case law generally view “just ask for help” as insufficient when the technology itself could reasonably be made accessible and is intended for independent use.
Are kiosks subject to PCI compliance?
If a kiosk accepts card payments, PCI DSS and related standards (PA‑DSS/PCI software, PTS POI for PIN pads, EMV levels) apply just as they do for attended POS and ATMs. Merchants must ensure the payment application, hardware, and network are validated and that card data is never stored or transmitted in the clear, often using point‑to‑point encryption (P2PE).
How is customer data protected on kiosks?
Security baselines include hardened OS builds, kiosk lockdown software, strong authentication for admin access, encrypted storage and transport, network segmentation, and regular patching. Logs, intrusion monitoring, and tamper‑resistant enclosures further reduce risk of data theft, while clear data‑retention policies avoid unnecessary storage of sensitive information on the device.
Do kiosks require braille or audio output?
Not every kiosk must have braille labels and audio, but any fleet must provide effective access for blind and low‑vision users, and some sector rules (like airline check‑in) explicitly require audio jacks, tactile controls, and speech output on a portion of units. Many deployments follow the ATM/ACAA pattern—providing tactile controls plus headphone audio and screen‑reader software on at least a defined percentage of kiosks per location.
What are the biggest compliance risks with kiosks?
Key risks include inaccessible hardware (heights, reach, lack of audio), inaccessible software flows, non‑compliant payment handling, and unmanaged devices that drift out of security patch levels. Organizations also face exposure when policies rely solely on staff “workarounds,” or when vendors cannot demonstrate how their designs align with ADA, PCI, privacy, and sector‑specific rules.
Are mobile-only interfaces ADA compliant?
Relying only on a mobile app or QR experience is risky; the ADA expects primary services offered through kiosks to be accessible at the point of use, not only via personal devices. Mobile can complement an accessible kiosk (for example as an alternative input/output channel), but “download our app instead” does not generally cure an inaccessible kiosk.
How do regulations differ outside the U.S.?
Other jurisdictions use different frameworks but similar principles: for example, the EU’s European Accessibility Act and EN 301 549 set detailed requirements for ICT, including self‑service terminals. Many countries also have their own disability and privacy laws (such as GDPR in Europe) that shape kiosk accessibility, consent, and data‑protection expectations.
More Resources
- Choosing A Manufacturer
- Kiosk ADA Checklist – 14 Point Accessibility Checklist
- Quick Service Restaurant
- Retail Kiosk FAQ
end of faq{“@context”:”https://schema.org”,”@type”:”FAQPage”,”@id”:”https://kioskindustry.org/faq/security-compliance/#faq”,”url”:”https://kioskindustry.org/faq/security-compliance/”,”name”:”Security Compliance FAQ”,”inLanguage”:”en”,”publisher”:{“@type”:”Organization”,”name”:”Kiosk Industry”,”url”:”https://kioskindustry.org/”},”mainEntity”:[{“@type”:”Question”,”name”:”Are kiosks required to comply with the ADA?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Yes. Public-facing kiosks used in places of public accommodation or by covered entities are expected to be accessible under the ADA, similar to ATMs, fare machines, and POS devices. Draft U.S. Access Board guidelines explicitly address self-service transaction machines and are expected to be adopted by DOJ and DOT as enforceable standards.”}},{“@type”:”Question”,”name”:”What accessibility features are required for kiosks?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Requirements include accessible reach ranges, clear floor space, and operable parts that can be used without tight grasping, pinching, or twisting for both standing and seated users. Functionally, kiosks must provide an equivalent experience for users with disabilities, often via larger targets, high-contrast visuals, tactile controls, and audio or assistive-tech support where appropriate.”}},{“@type”:”Question”,”name”:”Does WCAG apply to kiosks?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”WCAG was written for web content, but it is increasingly referenced as the usability baseline for kiosk software, especially where Section 508 or federal funding is involved. While the ADA does not name WCAG directly, regulators and courts look to WCAG 2.1 AA principles to judge whether kiosk interfaces are perceivable, operable, and understandable for disabled users.”}},{“@type”:”Question”,”name”:”Is providing staff assistance a substitute for accessibility?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”No. Staff assistance can be a backup, but it is not a full substitute for an accessible kiosk experience. DOJ and case law generally view “just ask for help” as insufficient when the technology itself could reasonably be made accessible and is intended for independent use.”}},{“@type”:”Question”,”name”:”Are kiosks subject to PCI compliance?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”If a kiosk accepts card payments, PCI DSS and related standards (PA-DSS/PCI software, PTS POI for PIN pads, EMV levels) apply just as they do for attended POS and ATMs. Merchants must ensure the payment application, hardware, and network are validated and that card data is never stored or transmitted in the clear, often using point-to-point encryption (P2PE).”}},{“@type”:”Question”,”name”:”How is customer data protected on kiosks?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Security baselines include hardened OS builds, kiosk lockdown software, strong authentication for admin access, encrypted storage and transport, network segmentation, and regular patching. Logs, intrusion monitoring, and tamper-resistant enclosures further reduce risk of data theft, while clear data-retention policies avoid unnecessary storage of sensitive information on the device.”}},{“@type”:”Question”,”name”:”Do kiosks require braille or audio output?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Not every kiosk must have braille labels and audio, but a fleet must provide effective access for blind and low-vision users, and some sector rules (like airline check-in) explicitly require audio jacks, tactile controls, and speech output on a portion of units. Many deployments follow the ATM/ACAA pattern by providing tactile controls plus headphone audio and screen-reader software on at least a defined percentage of kiosks per location.”}},{“@type”:”Question”,”name”:”What are the biggest compliance risks with kiosks?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Key risks include inaccessible hardware (heights, reach, lack of audio), inaccessible software flows, non-compliant payment handling, and unmanaged devices that drift out of security patch levels. Organizations also face exposure when policies rely solely on staff workarounds, or when vendors cannot demonstrate how their designs align with ADA, PCI, privacy, and sector-specific rules.”}},{“@type”:”Question”,”name”:”Are mobile-only interfaces ADA compliant?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Relying only on a mobile app or QR experience is risky; the ADA expects primary services offered through kiosks to be accessible at the point of use, not only via personal devices. Mobile can complement an accessible kiosk (for example as an alternative input/output channel), but “download our app instead” does not generally cure an inaccessible kiosk.”}},{“@type”:”Question”,”name”:”How do regulations differ outside the U.S.?”,”acceptedAnswer”:{“@type”:”Answer”,”text”:”Other jurisdictions use different frameworks but similar principles: for example, the EU’s European Accessibility Act and EN 301 549 set detailed requirements for ICT, including self-service terminals. Many countries also have their own disability and privacy laws (such as GDPR in Europe) that shape kiosk accessibility, consent, and data-protection expectations.”}}]}