Quick Guide to Regulatory Guidelines for Kiosks, ATMs and Point-of-Sale Systems
Government rules controlling the use of kiosks in the marketplace change on almost a daily basis. Deployers need to be aware of those regulations to avoid paying hefty fines.
The key measurement to keep in mind when ensuring kiosks are compliant with the ADA is 48 inches.
As kiosks become an increasing fixture in the marketplace, the rules gov- erning the use of those kiosks continue to evolve. And failing to comply with those rules can lead to harsh penalties.
Violations of Americans with Disabilities Act (ADA) standards can incur thousands of dollars in fines for each occurrence as well as the possibility of a lawsuit by the affected party. For merchants accepting credit card pay- ments via a kiosk, running afoul of Payment Card Industry (PCI) standards can result in millions of dollars in fines. Under the Health Insurance Porta- bility and Accountability Act (HIPAA), violations of privacy regulations when using kiosks for patient registration and bill payments can result in fines of up to $1 million a year.
While it is impossible to condense all of the rules and regulations governing kiosks into a few pages, we will try to cover the highlights and show deploy- ers where to go for more information.
Kiosks and ADA
Wondering if a kiosk is going to be covered by ADA standards? If the kiosk is going to be used in a public environment, the answer is yes. In addition, if the kiosk is used internally by employees, if it is operated by a federal, state, city or other governmental organization or if the kiosk or any portion of the project receives any federal funds, ADA standards apply.
Rules governing kiosks and ADA standards primarily revolve around ac- cess. The key measurement to keep in mind when ensuring kiosks are compliant with the ADA is 48 inches. This is the maximum height of the interactive touch point on any kiosk.
Additional measurements to be aware of include:
Forward reach. The minimum height for kiosks to be accessible for all self-service customers is 15 inches (with a maximum of 48 inches). These height requirements may change slightly when an obstruction is placed in front of the kiosk. Obstructions are defined as anything that creates space between the customer and the kiosk’s interactive screen.
Side reach. As long as an obstruction in front of the kiosk is less than or equal to 10 inches, the minimum and maximum heights are not changed.
If the obstruction is greater than 10 inches, however, the maximum height is lowered to 46 inches.
Wall-mounted kiosks. A wall-mounted kiosk must have a horizontal protrusion less than or equal to 4 inches to protect all customers as well as passersby. In addition, the kiosk must be at least 27 inches above the ground but can be no more than 80 inches above the ground.
With the advent of touchscreens, the Department of Justice is considering changes to ADA rules governing access for the visually impaired. Certain kiosks already are required to provide such access.
ADA recommends that the viewing angle for wheelchairs be equivalent.
Other elements include audio voice guidance, raised input devices, key- pads, function keys and Braille.
Kiosks and PCI compliance
The rules governing kiosks that accept payment cards essentially are the same as those governing other avenues of credit and debit card transactions.
The PCI Data Security Standard is the global data security standard adopt- ed by the payment card brands for all entities that process, store or transmit cardholder data. It consists of steps that mirror security best practices.
The PCI Security Council sets the PCI security standards, but each payment card brand has its own program for compliance, validation levels and enforcement.
There are two areas to look at. One is the merchant side, which is most often documented. Self-service public terminals generally will deal with these so that the self-service terminal is “out of scope.”
For reference the merchant steps to ensure PCI compliance include:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerability management program
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
The PCI Security Council sets the PCI security standards, but each payment card brand has its own program for compliance, validation levels and enforcement.
For self-service terminals best practices for consideration include:
- Don’t handle or process any data locally in any fashion if it can be avoided. This is your “out of scope” scenario.
- If the software application is being provided then the provider ideally is Payment Application – Data Security Standard listed and certified.
- If the software application provider has not undergone PA DSS certification, have they gone thru Qualified Security Assessor evaluation for compliance criteria? This costs money and verifies that software provider is indeed out of scope. Having a letter that says they are not impacted by PCI is not equivalent.
- Card readers should support encryption (not necessarily activated).
- Readers should support EMV. October 2015 is the date for EMV acceptance. If not accepting EMV on that date then MasterCard will not accept any liability due to fraud. More information is available here.
Although many HIPAA regulations are simply common-sense extensions of the rules governing protection of paper records, electronic devices introduce a new set of considerations, including how data is to be encrypted.
- Privacy for pin entry must be accommodated
- Internal access must be carefully secured.
- No data cached or otherwise stored.
- Encrypted file system in event of theft.
Kiosks and HIPAA
Along with allowing patients to check in and fill out forms electronically instead of via paper, kiosks in health-care facilities are being used to perform a host of functions ranging from verifying insurance coverage to accepting bill payments. In addition, there are a number of new kiosk applications in the marketplace that gather patient health information such as blood pressure and vision tests and allow users to send that information via email or text.
Both of those scenarios fall under the jurisdiction of the Health Insurance Portability and Accountability Act of 1996. Title II of HIPAA, known as the Administrative Simplification provisions, requires the establishment of na- tional standards for electronic health care transactions and national identi- fiers for providers, health insurance plans and employers.
Although many HIPAA regulations are simply common-sense extensions of the rules governing protection of paper records, electronic devices introduce a new set of considerations, including how data is to be encrypt- ed. Physicians need to participate in a formal compliance plan to ensure requirements are met. States may have additional requirements that go beyond federal rules.
The new rules consist of three main components:
HIPAA — The Privacy Rule
The Privacy Rule governs the use and disclosure of an individual’s protect- ed health information. Physicians who transmit a patient’s health informa- tion electronically in a transaction covered under HIPAA, such as filing claim forms electronically or verifying insurance coverage, are bound by HIPAA even if they are using a third-party service to conduct those transac- tions. The Privacy Rule applies to protected health information in any form, including paper and electronic.
HIPAA — The Security Rule
The HIPAA Security Rule establishes national standards to protect indi- viduals’ electronic personal health information that is created, received, used or maintained by a health-care facility or associated entity covered by HIPAA. The rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information. The rule does not apply to information trans- mitted orally or via paper.
HIPAA — The Breach Notification Rule
The Breach Notification Rule requires facilities covered by HIPAA to notify affected individuals as well as the Department of Health and Human Ser- vices in the event of a breach of a patient’s personal health information. In some cases, the facility will be required to notify the media as well.
Best practices for patient terminals include:
- Privacy wings, privacy screens or “lenticular” screens
- Ideal placement of input screen for each patient for maximum privacy effect.
- Encryption of devices including computer file system.
- Placement of kiosks with consideration of privacy.
Additional Standards in Plain English
- UL : In the US it is important to utilize UL certified components. Be care-ful of lower cost “modified” components which violate those regulations.
- UL-291 : the is the rating for safes. A UL-291 certified safe will present x amount of difficulty for thieves to break into. There are also UL-291 “compliant” safes (see note above re: UL)
- OPOS – common framework that transactional devices utilize in POS allowing for interchange of devices from different manufacturers. This is Unified POS in ARTS by NRF.
- ARTS – originated by National Retail Federation and includes Data Model, UnifiedPOS, and ARTS XML
- XFS : used in the ATM industry as interface platform standard.
- CUSS Certified – an airline check-in device which has been tested and certified in a platform by IATA.
Dates to remember:
September 23, 2013 ― Covered entities and business associates are required to come into full compliance with the HIPAA Omnibus Rule.
November 7, 2013 ― Release of Version 3.0 of the PCI Data Security Standard.
April 2014― Rules covering the accessibility of public websites under consideration.
In conclusion
The government regulations covering the use of kiosks in the marketplace change on nearly a daily basis, and it is impossible for any deployer to keep up with those regulations while managing its own business. An experienced kiosk provider, on the other hand, is involved in the industry every day and keeps up with those ever-changing regulations. While this paper can serve as a starting point for merchants to familiarize themselves with the rules governing the use of kiosks, the best way to protect oneself is to work with such a provider.
Writer(s): Craig Keefner with Richard Slawsky