regulations and Compliance

Kiosk Standards and Regulations

Kiosk Standards and Regulations

Here is our coverage of the regulatory compliance standards which affect and/or come into play for kiosks.  Some are by law, some by suggestion. Some apply to only federal but many are assumed across the board (based on legal activity).  States often have their own set of regulations (think California).  Biometrics in states like Illinois is another consideration.  On our Legal Actions page we track different court cases across self-service.

Good Kiosk Regulations References

  • Compliance Overview by KIOSK — UL Testing, Environmental and Attack testing.  At the KIOSK compliance lab, products undergo UL and other compliance testing to measure product safety and environmental testing to ensure kiosks can withstand the elements when placed in outdoor settings. Attack testing helps validate that the kiosk design provides a measure of security against vandalism.
  • Accessibility Compliance by Olea — the ADA regulations about kiosks aim to facilitate equal access and usage for individuals with physical disabilities, including those with mobility challenges, hearing, and vision impairments, parallel to those without such impairments. This inclusivity extends beyond the kiosk unit itself, encompassing the touchscreen, peripheral devices, and even the surrounding area.
  • Security Requirements —  here is good example from Broward County — circa 2025

    • Defines “County Data” and “County Confidential Information” including sensitive personal and financial info​

    • Contractor must follow County security policies, provide training, and notify the County when access changes​

    • All remote network access needs VPN, multi-factor authentication, and encryption; noncompliance may result in suspension​

    • Data privacy must comply with Florida law (Section 501.171, Chapter 119), stored in the U.S., and can’t be disclosed/sold without approval​

    • Storage devices holding County Data must be securely wiped with certificate when requested​

    • All security or cyber incidents must be reported within 24 hours and a full report within 5 days​

    • Contractor must fully cooperate in incident investigation and provide forensic access​

    • Staff with access to confidential info require background checks and must not pose a security risk​

    • County Data may only be transmitted securely (HTTPS, SFTP) and not released without written consent​

    • Current unqualified SOC 2 Type II report may be required, covering all Trust Service Principles​

    • Software must follow secure SDLC, support AD and least privilege access, and quickly fix CVEs; encryption must be AES-256 at rest, TLS 1.2 in transit​

    • Contractor-supplied equipment must include physical security, promptly patch vulnerabilities, and support signed firmware updates​

    • PCI DSS compliance required for any software/equipment touching payment data, with annual certifications and prompt notification of loss of compliance​

    • HIPAA/HITECH compliance required if relevant; subcontractors must also comply​

    • App dev projects must follow County security standards and provide testing attestations if requested​

Separate Content Pages

Standards Matrix

  • Framework
  • Standards to Kiosks Mapping
  • Devices

[table id=9 /]

[table id=10 /]

[table id=11 /]

More Discrete Standards Listing

  • ADA Standards for Kiosks — Providing access for the disabled is the law, not an option. Disabled come in all forms from wheelchair, to hearing to sight to any number of “differences”. These standards apply to digital signage to ATMs to POS checkout to any public access system.
  • Section 508 — often overlooked but this standard ensures that government online cyber mechanisms communicate effectively with users.
  • Air Carrier Access Act from Department of Transportation
  • Universal Design by Section 508
  • Universal Design Principles by Berkeley
  • ADA for Europe is covered in EN 301-549. EN 301 549 is the European standard that sets out accessibility requirements for information and communication technology (ICT) procured by the public sector. It applies to products as well as services.
  • HIPAA Standards for Privacy & Self-Service — security in healthcare is originating basis but data security extends to all types of public data collection.  Violations can result in millions of dollars in fines.
  • FDA Standards – A 510(K) is a premarket submission made to FDA to demonstrate that the device to be marketed is as safe and effective, that is, substantially equivalent, to a legally marketed device (section 513(i)(1)(A) FD&C Act) that is not subject to premarket approval.
  • PCI & EMV Payment Standards — from out of scope to QSA to devices to much more, payment data must be protected.  October 2015 is the big Liability Shift  and organizations are putting in place their response now.
  • UL Standards — an exposition of UL standards which come into play for self-service (kiosks, ATMs, Checkouts) including UL 2361, UL 291
  • Made in America — see DOT for regulations. Many RFPs specify American Made and then you have the DOT doc explaining exactly what is meant by that. A bit like ADA compliant.
  • Environmental Standards for Outdoor — this includes the various standards that come into play for Outdoor or environmental circumstance. This ranges from NEMA rating to IP standards for ingression protection to vandal resistant touch screens.  What is the difference between NEMA 4 and NEMA 4X (besides about $200 in cost).
  • 60601-1 — Medical devices/equipment is held to a higher level of safety than almost all other types of equipment on the market.
  • Here is ISO page and here is ISO Medical Devices related page for ISO 13485.
  • Gaming Regulations – GLI Certification — GLI’s business is to test, review and report on gaming devices and systems against the standards established by relevant gaming jurisdictions worldwide. Each jurisdiction has the authority to set their own standards; however, many use our standards as a starting point in developing their regulations.
  • WCAG — Here is the working draft for 2.2. Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of recommendations for making Web content more accessible.
  • For testing

Tools We Use Everyday

More Regulations and Certification That Come Into Play — Depending

Light Electric Vehicles (bikes, scooters, eg) — UL 2271, 2849 — ISO 13063

Typical Smart City –– from Cherry Creek Colorado 2023

  • Weatherproof, including ability to function in extreme heat and cold;
  • Graffiti resistant including procedures for preventing and rectifying damage from inclement weather, dirt and
    vandals, which shall be the responsibility of vendor;
  • ADA compliant including adjusting height of content and interactive features for users in wheelchairs and
    approach height/reach requirements and accessibility for the visually impaired;
  • Allow for the display of advertising as approved by the CCN BID, when passive, but upon engagement by a
    user, the advertising will be minimized or eliminated to take a secondary position to interactive content;
  • Employ interactive touchscreen technology, be location aware with customized mapping and wayfinding, in
    particular with supporting features for local retail locations;
  • Provide filtering to search by category of activity; include rational sorting protocol including proximity and type;
    include a procedure to ensure all content is up to date, accurate and relevant; and an ability to transfer
    information to user’s mobile devices.
  • Provide surveying capability including the ability to pose questions to users, collect responses and
    disseminate to the CCN BID;
  • Include potential integration of social media, gaming and other applications to encourage use engagement;
  • Have the ability to switch between Spanish and English with the capability of support for other languages at a
    later date

More

Posts 2026: 10,345