Kiosk Standards and Regulations
Here is our coverage of the regulatory compliance standards which affect and/or come into play for kiosks. Some are by law, some by suggestion. Some apply to only federal but many are assumed across the board (based on legal activity). States often have their own set of regulations (think California). Biometrics in states like Illinois is another consideration. On our Legal Actions page we track different court cases across self-service.
Good Kiosk Regulations References
- Compliance Overview by KIOSK — UL Testing, Environmental and Attack testing. At the KIOSK compliance lab, products undergo UL and other compliance testing to measure product safety and environmental testing to ensure kiosks can withstand the elements when placed in outdoor settings. Attack testing helps validate that the kiosk design provides a measure of security against vandalism.
- Accessibility Compliance by Olea — the ADA regulations about kiosks aim to facilitate equal access and usage for individuals with physical disabilities, including those with mobility challenges, hearing, and vision impairments, parallel to those without such impairments. This inclusivity extends beyond the kiosk unit itself, encompassing the touchscreen, peripheral devices, and even the surrounding area.
- Security Requirements — here is good example from Broward County — circa 2025
-
Defines “County Data” and “County Confidential Information” including sensitive personal and financial info
-
Contractor must follow County security policies, provide training, and notify the County when access changes
-
All remote network access needs VPN, multi-factor authentication, and encryption; noncompliance may result in suspension
-
Data privacy must comply with Florida law (Section 501.171, Chapter 119), stored in the U.S., and can’t be disclosed/sold without approval
-
Storage devices holding County Data must be securely wiped with certificate when requested
-
All security or cyber incidents must be reported within 24 hours and a full report within 5 days
-
Contractor must fully cooperate in incident investigation and provide forensic access
-
Staff with access to confidential info require background checks and must not pose a security risk
-
County Data may only be transmitted securely (HTTPS, SFTP) and not released without written consent
-
Current unqualified SOC 2 Type II report may be required, covering all Trust Service Principles
-
Software must follow secure SDLC, support AD and least privilege access, and quickly fix CVEs; encryption must be AES-256 at rest, TLS 1.2 in transit
-
Contractor-supplied equipment must include physical security, promptly patch vulnerabilities, and support signed firmware updates
-
PCI DSS compliance required for any software/equipment touching payment data, with annual certifications and prompt notification of loss of compliance
-
HIPAA/HITECH compliance required if relevant; subcontractors must also comply
-
App dev projects must follow County security standards and provide testing attestations if requested
-
Separate Content Pages
- General Standards
- ADA
- ABA – very important adjunct
- PCI DSS EMV
- UL
- HIPAA
- Section 508
- AntiBacterial FDA
- Gaming (GLI)
- Cuss and Cute Airlines
- VPAT — Consistent with the original VPAT, version 2.4 provides a column for recording conformance to each provision of a standard or guideline relevant to a product or service. Manufacturers or venders declare the degree of conformance using one of four conformance levels: supports; partially supports; does not support; or not applicable.
Standards Matrix
- Framework
- Standards to Kiosks Mapping
- Devices
Standards Frameworks
| Standard_or_Framework | Jurisdiction_or_Domain | Primary_Kiosk_Impact_Area | Typical_Deployments_Affected | Key_Kiosk_Requirements_or_Checkpoints | Canonical_Reference_or_TIG_Anchor |
|---|---|---|---|---|---|
| ADA Standards for Accessible Design (Title II and III) | United States; civil rights law | Physical accessibility; reach ranges; operable parts; audio and tactile access | Retail self checkout; self order; hotel check in; DMV; smart city; ticketing | Clear floor space; approach and reach; tactilely discernible controls; audio output; accommodation for mobility, vision and hearing impairments | KioskIndustry.org Standards section; ADA kiosk pages and checklist |
| ADA and ABA Guidelines for Terminals | United States; ADA and Architectural Barriers Act | Counter heights; protruding objects; layout around terminals | Hotel check in; restaurant kiosks; wall mount displays; transit ticketing | Max protrusion from wall; knee and toe clearance; control heights; accessible routes around kiosks | KioskIndustry.org ADA terminals commentary |
| Section 508 and Section 255 (U.S. ICT Accessibility) | United States federal ICT and communications | Software and UX accessibility; closed systems; procurement requirements | Federal agency kiosks; SSA; VA; USDA; federal building kiosks | Conformance to WCAG; audio or tactile access for blind users; procurement language; VPAT use | KioskIndustry.org Section 508 kiosk page |
| EN 301 549 and European Accessibility Act | European Union ICT accessibility | Accessibility of ICT products and services including kiosks and POS | Public sector kiosks; ticket machines; payment terminals; smart city screens in EU | Physical access; operable parts; audio output; speech output; compatibility with assistive tech; accessible documentation | KioskIndustry.org Standards listing for EN 301 549 and EU accessibility |
| Universal Design Principles | Global design framework | Inclusive hardware, software and environment design | All kiosk types as a design philosophy | Equitable use; simple and intuitive operation; perceptible information; low physical effort; adequate space for approach and use | Universal Design links referenced in KioskIndustry.org Standards |
| WCAG 2.1 and 2.2 Web Content Accessibility Guidelines | Global W3C standard | Kiosk UI and web based UIs; PWA kiosks | Browser based kiosks; remote admin portals; web front ends driving kiosks | Text alternatives; contrast; keyboard access; focus visibility; timing and error handling; AT compatibility | WCAG references in KioskIndustry.org Standards |
| VPAT Voluntary Product Accessibility Template | Global reporting template; widely used by public sector and enterprises | Accessibility conformance reporting for hardware, software and documentation | Any kiosk solution sold into public sector or enterprise | Documented conformance vs 508, WCAG and EN 301 549; four level rating; separate coverage for hardware and software | VPAT resources linked from KioskIndustry.org Standards |
| Air Carrier Access Act ACAA Kiosk Rules | United States; air travel accessibility | Airline check in and bag tag kiosks | Airport self service check in; bag drop; boarding pass kiosks | Required percentage of accessible kiosks; placement rules; tactile controls; audio jacks; consistent accessible features | ACAA and DOT resources in KioskIndustry.org Standards |
| HIPAA and HITECH and Canadian privacy for health | United States health privacy and security; Canadian privacy | Electronic protected health information privacy and security around kiosks | Patient check in and payment; telehealth; pharmacy and health kiosks | Screen privacy; short timeouts; limited PHI on screen and receipts; encrypted transport and storage; BAAs; audit logging | HIPAA kiosk pages and primers on KioskIndustry.org |
| FERPA and GLBA | United States education and financial privacy | Privacy of student and financial records at kiosks | Campus kiosks; tuition and bursar kiosks; financial institution kiosks | Avoid exposing sensitive records on screen; strong authentication; secure sessions; compliance with institutional policies | FERPA and GLBA references under additional regulations on KioskIndustry.org Standards |
| PCI DSS Payment Card Industry Data Security Standard | Global card brand data security standard | Cardholder data security; network and application controls | Payment kiosks; self checkout; restaurant self order; bill pay and ticketing kiosks | No storage of sensitive auth data; encryption; PTS approved devices; segmented networks; logging and monitoring; regular scans | PCI and EMV payments entry in KioskIndustry.org Standards |
| EMV Specifications and Liability Shift Rules | Global EMVCo and card brands | Chip and contactless transaction security and liability | Kiosks taking chip and contactless payments | Certified EMV kernels; correct cardholder verification; support for contactless; awareness of liability shift rules | Same PCI and EMV entry and processor and acquirer documentation |
| UL 2361 and UL 291 and UL 60950-22 and UL 62368-1 | North America and global safety and security standards | Electrical safety; fire; stability; burglary resistance for safes | Indoor and outdoor kiosks; ATMs; safes; payment devices | Stability and tip tests; enclosure strength; protection from shock and fire; burglary resistance where cash; documented certification | UL Kiosk Standards and outdoor kiosk guidance on KioskIndustry.org |
| Environmental Standards NEMA and IP ratings | NEMA United States enclosures; IEC IP ratings | Weather and ingress protection; dust; water and corrosion resistance | Outdoor ticketing; drive thru kiosks; EV charging; transit; smart city kiosks | Match enclosure rating to environment; consider rain, snow, dust, corrosion, vandalism; design for thermal and condensation control | Environmental and outdoor kiosk design articles on KioskIndustry.org |
| IEC 60601-1 Medical Electrical Equipment | International medical electrical safety standard | Safety of medical electrical devices used with patients | Vitals kiosks; diagnostic kiosks; point of care carts with kiosk UIs | Limits for leakage current; isolation; creepage and clearance; essential performance and risk management integration | Medical kiosks and IEC 60601 references in KioskIndustry.org Standards |
| ISO 13485 Medical Devices Quality Management | International QMS standard for medical devices | Quality system for design and manufacture of medical device kiosks | Kiosk products marketed as medical devices or accessories | Documented QMS; design controls; supplier and traceability controls; CAPA; post market surveillance | ISO 13485 references in KioskIndustry.org Standards |
| FDA 510k Premarket Notification | United States FDA medical devices | Regulatory clearance for certain medical device kiosks | Diagnostic kiosks; some telehealth and wellness devices | Show substantial equivalence to predicate devices; labeling and indications; safety and effectiveness data; human factors as needed | FDA device and 510k links in KioskIndustry.org Standards |
| Gaming Labs International GLI Standards | Gaming regulators with GLI as test lab | Gaming kiosk compliance and integrity | Casino ticket redemption; lottery; sports betting kiosks | Jurisdiction specific gaming rules; RNG and payout integrity; secure audit logs; age and ID verification; AML controls | GLI and gaming advisory content on KioskIndustry.org |
| Made in America and Buy America DOT Transit | United States DOT and related procurement rules | Domestic content and final assembly for funded projects | Transit ticketing; fare collection; smart city kiosks under transit funding | Document domestic content percentages; final assembly location; supplier certifications; alignment with grant language | Buy America and Made in America references in KioskIndustry.org Standards |
| SOC 2 and ISO 27001 and SSAE style audits | Global information security assurance frameworks | Backend platform and cloud security for kiosk fleets | Any connected kiosk network with central CMS and back office | Formal security controls; encryption; access control; incident response; third party assessments and reports | Security framework mentions under additional regulations on KioskIndustry.org Standards |
| Dark Sky and Light Emission and FEMA and UL for LEV | Local and national environmental and safety codes | Light pollution; structural resilience; battery and e mobility safety | Smart city kiosks; transit shelters; LEV and EV adjacent deployments | Limit light spill and glare; design for wind and hurricane loads; secure mounting; battery system safety where used | Dark Sky and FEMA and LEV items under additional regulations on KioskIndustry.org Standards |
Standards to Kiosks
| Kiosk_Category | ADA_US | Section_508_WCAG | EN_301549_EAA | PCI_EMV | HIPAA_Health_Privacy | UL_Electrical | NEMA_IP_Outdoor | GLI_Gaming | ISO13485_IEC60601 | ACAA_Airline | Buy_America_Transit | SOC2_ISO27001 | Notes | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Self Order Restaurant | QSR | Y | Y | M | Y | N | Y | M | N | N | N | N | Y | Drive thru and outdoor variants need NEMA or IP and high brightness |
| Retail Self Checkout | Y | Y | M | Y | N | Y | M | N | N | N | N | N | Y | High ADA scrutiny in large chain deployments |
| Retail Information Kiosks | Y | Y | M | N | N | Y | M | N | N | N | N | N | Y | Often browser or web based UIs using WCAG |
| Ticketing and Events | Y | Y | Y | Y | N | Y | M | N | N | N | N | N | Y | Ticketing plus payments; some outdoor deployments |
| Transit Ticketing | Y | Y | Y | Y | N | Y | Y | N | N | N | N | Y | Y | Often subject to Buy America and outdoor environmental rules |
| DMV and Government Services | Y | Y | Y | M | N | Y | M | N | N | N | N | Y | Y | Almost always Section 508 and strong security expectations |
| Hotel Check In and Hospitality | Y | M | M | Y | N | Y | M | N | N | N | N | N | Y | Indoor focus; ADA and PCI primary |
| Patient Check In | Y | Y | M | M | Y | Y | M | N | Y | N | N | N | Y | HIPAA and sometimes medical device rules apply |
| Telehealth and Diagnostics | Y | Y | M | N | Y | Y | M | N | Y | N | N | N | Y | If diagnostic, subject to IEC 60601 and possibly FDA |
| Pharmacy Kiosks | Y | Y | M | Y | Y | Y | M | N | M | N | N | N | Y | HIPAA plus PCI for copays and cards |
| Financial Services Kiosks | Y | Y | M | Y | N | Y | M | N | N | N | N | N | Y | GLBA may apply; heavy PCI and EMV focus |
| Bill Pay | Y | Y | M | Y | N | Y | M | N | N | N | N | N | Y | Utility and bill payment with card or cash |
| Smart City Information | Y | Y | Y | N | N | Y | Y | N | N | N | N | Y | Y | Outdoor requirements and civic accessibility |
| EV Charging Kiosks | Y | Y | Y | Y | N | Y | Y | N | N | N | N | Y | Y | Accessibility rulemaking active; NEMA and IP key |
| Smart Vending | Y | M | M | Y | N | Y | M | N | N | N | N | N | Y | Interactive screens trigger ADA; payments trigger PCI |
| Locker Pickup | Y | M | M | M | N | Y | M | N | N | N | N | N | Y | ADA for screens and locker reach ranges |
| Photo Kiosks | Y | Y | M | M | N | Y | N | N | N | N | N | N | Y | Accessibility and UL primary |
| Gaming Kiosks | Y | N | N | Y | N | Y | M | Y | N | N | N | N | Y | GLI and local gaming regulations dominate |
| Sports Betting Kiosks | Y | N | N | Y | N | Y | M | Y | N | N | N | N | Y | Age checks and AML rules in addition to gaming standards |
| Lottery Kiosks | Y | M | M | M | N | Y | M | Y | N | N | N | N | Y | Lottery commissions and GLI style testing |
| Campus Kiosks | Y | Y | M | M | N | Y | M | N | N | N | N | N | Y | May handle student records and FERPA |
| Visitor Management | Y | Y | M | N | M | Y | M | N | M | N | N | N | Y | Photo capture and ID scanning raise privacy questions |
| Industrial Kiosks | M | M | M | N | N | Y | M | N | N | N | N | N | Y | Heavy UL and environmental focus; accessibility varies |
| POS Mini Kiosks | Y | M | M | Y | N | Y | M | N | N | N | N | N | Y | Countertop accessibility and PCI are key |
| Interactive DOOH | Y | Y | Y | N | N | Y | Y | N | N | N | N | N | Y | Outdoor advertising with touch or gesture interaction |
| Micro Markets | Y | M | M | Y | M | Y | M | N | N | N | N | N | Y | Hybrid of vending and retail self checkout |
| Autonomous Kiosks | Y | Y | Y | M | M | Y | M | N | M | N | N | N | Y | Emerging rules for AI transparency and biometrics |
| Regulation_or_Standard | Region | Current_Status | Key_Dates | Next_Milestone | Notes |
|---|---|---|---|---|---|
| ADA Standards for Accessible Design | United States | In force; periodically updated guidance | ADA enacted 1990; 2010 Standards widely adopted in 2012 | Ongoing rulemaking and guidance updates | Future rules likely to clarify self service and kiosks more explicitly |
| Air Carrier Access Act Kiosk Rules | United States | In force for covered carriers | DOT rules phased in over multiple years for accessible kiosks | Potential refinements and enforcement guidance | Accessibility percentage and placement rules already in effect for airlines |
| Section 508 and Section 255 | United States | Refreshed 508 standards in force | Major refresh aligned with WCAG took effect in late 2010s | Future refreshes likely to align with newer WCAG versions | Affects federal procurement of kiosk hardware and software |
| EN 301 549 and European Accessibility Act | European Union | EN 301 549 in force; EAA phased in | EN 301 549 adopted earlier; EAA compliance dates staggered by sector | Further national transposition and enforcement actions | Will extend accessibility obligations to more private sector services including kiosks and POS |
| HIPAA and HITECH | United States | In force; enforcement ongoing | HIPAA privacy and security rules in place since early 2000s; HITECH strengthened enforcement | Future guidance on new tech such as telehealth and AI | Covers ePHI handled by patient and health kiosks |
| PCI DSS | Global | Version 3 and 4 family in use | Multiple revisions over the last decade to address EMV, tokenization and ecommerce | Future minor and major revisions as threats evolve | Card brands set enforcement timelines for merchants and service providers |
| EMV Specifications | Global | Widely deployed for chip and contactless | Liability shifts for card present fraud rolled out over several years by region | Ongoing updates for contactless, mobile and new form factors | Kiosk operators must track acquirer and network deadlines |
| UL and IEC Kiosk Safety Standards | Global and North America | Current editions in force | Various release dates by standard such as UL 62368-1 and IEC 60601-1 | Future edition updates and transition periods | Manufacturers must track edition changes for new product approvals |
| NEMA and IP Environmental Ratings | Global | Stable rating systems in use | NEMA and IP frameworks have existed for many years | New guidance as new hazards and environments appear | Used at design stage to specify enclosure performance |
| GLI Gaming Standards | Jurisdiction specific | Ongoing updates by gaming regulators and GLI | Standards have evolved with digital gaming and kiosks | New versions and jurisdiction specific changes | Casinos and lottery agencies track standards per jurisdiction |
| Buy America and Made in America Rules | United States | In force; sometimes strengthened in new bills | Requirements tied to specific infrastructure and transit funding programs | Future changes tied to new federal legislation and grant programs | Transit and smart city kiosk projects must check current content thresholds |
| SOC 2 and ISO 27001 | Global | Widely used assurance frameworks | Several revisions and new controls over time | Updates to reflect cloud, zero trust and supply chain | Applies to backend systems supporting kiosk fleets |
| AI and Biometrics Related Laws | Various | Rapidly evolving landscape | Key state and regional rules passed in recent years | New AI and biometrics laws likely in multiple jurisdictions | Relevant for voice, vision and identity features on next generation kiosks |
More Discrete Standards Listing
- ADA Standards for Kiosks — Providing access for the disabled is the law, not an option. Disabled come in all forms from wheelchair, to hearing to sight to any number of “differences”. These standards apply to digital signage to ATMs to POS checkout to any public access system.
- Section 508 — often overlooked but this standard ensures that government online cyber mechanisms communicate effectively with users.
- Air Carrier Access Act from Department of Transportation
- dot_2303_DS1-compressed
- agreement-kiosk-rule-southwest-and-dot-compressed
- Kiosk-website-FR-final rule-compressed
- Plain English Air Carrier Standards from National Association of Deaf
- Universal Design by Section 508
- Universal Design Principles by Berkeley
- ADA for Europe is covered in EN 301-549. EN 301 549 is the European standard that sets out accessibility requirements for information and communication technology (ICT) procured by the public sector. It applies to products as well as services.
- HIPAA Standards for Privacy & Self-Service — security in healthcare is originating basis but data security extends to all types of public data collection. Violations can result in millions of dollars in fines.
- FDA Standards – A 510(K) is a premarket submission made to FDA to demonstrate that the device to be marketed is as safe and effective, that is, substantially equivalent, to a legally marketed device (section 513(i)(1)(A) FD&C Act) that is not subject to premarket approval.
- PCI & EMV Payment Standards — from out of scope to QSA to devices to much more, payment data must be protected. October 2015 is the big Liability Shift and organizations are putting in place their response now.
- UL Standards — an exposition of UL standards which come into play for self-service (kiosks, ATMs, Checkouts) including UL 2361, UL 291
- Made in America — see DOT for regulations. Many RFPs specify American Made and then you have the DOT doc explaining exactly what is meant by that. A bit like ADA compliant.
- Environmental Standards for Outdoor — this includes the various standards that come into play for Outdoor or environmental circumstance. This ranges from NEMA rating to IP standards for ingression protection to vandal resistant touch screens. What is the difference between NEMA 4 and NEMA 4X (besides about $200 in cost).
- 60601-1 — Medical devices/equipment is held to a higher level of safety than almost all other types of equipment on the market.
- Here is ISO page and here is ISO Medical Devices related page for ISO 13485.
- Gaming Regulations – GLI Certification — GLI’s business is to test, review and report on gaming devices and systems against the standards established by relevant gaming jurisdictions worldwide. Each jurisdiction has the authority to set their own standards; however, many use our standards as a starting point in developing their regulations.
- WCAG — Here is the working draft for 2.2. Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of recommendations for making Web content more accessible.
- For testing
Tools We Use Everyday
- Google PageSpeed Insights — tests speed and accessibility — MOBILE is primary
- MS Edge Accessibility Insights — quick fast pass for accessibility (WCAG 2.1)
- Experte — free web tools based in Germany, also WCAG 2.1 — will test entire website for you
- What About Mobile Apps? Here is a summation of Section 508 by the Veterans Administration. Section 508 Mobile Best PracticesSummary
More Regulations and Certification That Come Into Play — Depending
- Light Emitting – Dark Sky Certification for E-Ink displays for City transit systems
- Hurricanes – think of Smart City deployments in Florida
- FEMA Codes for Reference
- FERPA and GLBA
- SAS70/SOC2/ISO 27001/SSAE16 or similar external reviews
- Here is a running log of legal actions we keep
- For our list of Assistive Technologies and providers click here
Light Electric Vehicles (bikes, scooters, eg) — UL 2271, 2849 — ISO 13063
Typical Smart City –– from Cherry Creek Colorado 2023
- Weatherproof, including ability to function in extreme heat and cold;
- Graffiti resistant including procedures for preventing and rectifying damage from inclement weather, dirt and
vandals, which shall be the responsibility of vendor; - ADA compliant including adjusting height of content and interactive features for users in wheelchairs and
approach height/reach requirements and accessibility for the visually impaired; - Allow for the display of advertising as approved by the CCN BID, when passive, but upon engagement by a
user, the advertising will be minimized or eliminated to take a secondary position to interactive content; - Employ interactive touchscreen technology, be location aware with customized mapping and wayfinding, in
particular with supporting features for local retail locations; - Provide filtering to search by category of activity; include rational sorting protocol including proximity and type;
include a procedure to ensure all content is up to date, accurate and relevant; and an ability to transfer
information to user’s mobile devices. - Provide surveying capability including the ability to pose questions to users, collect responses and
disseminate to the CCN BID; - Include potential integration of social media, gaming and other applications to encourage use engagement;
- Have the ability to switch between Spanish and English with the capability of support for other languages at a
later date
More