Under Lock and Key
- By Steve Spatig
- Feb 01, 2020
The interactive self-service kiosk has become a valuable, steadily growing
commercial and informational tool since
the launch of the first banking ATM in the 1980s.
It is an essential part of our modern-day digital
landscape.
Due to advances in broadband networks and touchscreen technologies,
kiosk-based transactions have evolved from ATMs, vending
machines and self-service fuel dispensers. They include a host
of new applications, including everything from remote merchandise
pickup and parcel exchange to digital ordering kiosks and
gaming systems, such as lottery sales and electronic slot machines.
All have several factors in common. They are automated systems
that feature expensive equipment and are located in a wide
range of often unattended sites. They can store valuable products,
give access to valuable services and —crucially— incorporate
technology to capture personal and financial information in
order to facilitate transactions. They are also connected to corporate
transaction networks, which can make them points of entry
to hackers. In addition, many of these self-service kiosks can receive
or dispense money.
Given these factors, kiosk designers, builders and end users
need to make a critical assessment of how these systems are secured.
Whether located indoors or outdoors, stand-alone kiosks
include several features that need to be considered when selecting
a security solution:
- These kiosks enclose and protect critical equipment — touchscreens,
processors, credit card readers and technology that connects
to either the internet or proprietary corporate networks.
- They need to be accessed on a routine basis by consumers as
well as a variety of staff performing maintenance, restocking products or updating items secured in the enclosure.
- These kiosks use high-end industrial design, including large
touchscreen interfaces, branding elements and fine design
touches to appeal to targeted user settings, such as hotel lobbies,
airport terminals and retail locations.
Electronic Access Solutions (EAS) that incorporate electronic
locking and access control devices offer a proven and easy way to
add physical security to self-service kiosks without interrupting
industrial design. These electronic access solutions can serve as
stand-alone access control devices, or they can be connected to a
network for remote access control.
Most importantly, EAS platforms let the operators of unattended
kiosks remotely manage access in real time by controlling
and tracking who accesses the enclosures, when and for how long.
Expanding Risks and Regulations
Controlling access to standalone kiosks, particularly those connected
to networks and equipped with data capture capabilities, is
a critical necessity for the industry. The risks of cybercrime continue
to grow: In 2019, the global average cost of a data breach
is $3.9 million. In the United States alone, the average total cost
of a data breach has grown from $3.54 million in 2006 to $8.19
million in 2019, a 130 percent increase over 14 years.1
Stand-alone kiosks represent a significant point of risk for
theft and cybercrime. The risk factor grows as kiosk applications
and technology become more sophisticated. Access to the internal
systems within the kiosk could not only lead to theft of expensive
electronics, displays, batteries and copper, but also to the
theft of person’s payment information through the manipulation
of internal control systems.
Regulatory bodies are placing a stronger emphasis on data protection,
making it essential that businesses deploying stand-alone
kiosks take necessary steps to ensure that their security administration
meets industry standards. Organizations that fail to fully comply
with current data regulations face significant consequences.
For example, the Payment Card Industry Data Security Standard
(PCI DSS) is regarded as one of the more significant data
protection standards in the IT industry today. PCI DSS is designed
to protect the personal payment card data of consumers
and sets access control requirements for the entities that secure
their information. The regulation calls for monitoring and tracking
staff who might have physical access to data or systems that
house cardholder data.
Recent updates to the General Data Protection Regulation
(GDPR) put even stiffer requirements on personal data protection,
and the fines for noncompliance are even more substantial.
These requirements create a powerful incentive for kiosk operators
to consider the value of upgrading their kiosk access from
standard mechanical keys to electronic access solutions to appropriately
control and monitor access.
EAS Provides Intelligent Security
Until recently, a large proportion of distributed kiosks have used
lock-and-key mechanisms to provide access control and physical
security. These mechanical lock-and-key-based solutions make it
difficult, if not impossible, to track who has which key and when
they have been used (or misused) to access a piece of equipment.
Electronic-locking technology with digital credentials, remote
monitoring and concealed locking hardware provides a more robust
form of physical security and access control. It also provides
a higher level of deterrence to vandals and thieves who try to steal
kiosk equipment, merchandise, credit card data or cash.
An electronic-access solution combines three integral elements
into one cohesive security system. A complete solution includes
a credential with corresponding user interface, a control system
and an intelligent electromechanical lock or latch.
The credential/user interface, such as a PIN/digital keypad,
RFID card and reader, or Bluetooth device and reader provides
the digital “key” which is transmitted to the associated user interface.
The credential’s electronic data is then sent to the controller
that validates the credential. If the user credential is valid, the
controller then signals the intelligent latch to lock or unlock the
desired kiosk door.
Upon actuation, a digital record of activity can be created and
archived for future audit trail reporting. If desired, the record can
be instantly transmitted via existing network connections built
into the kiosk—one more digital record among many that the
kiosk is already equipped to communicate across the network to
which it is connected.
With significant legacy deployments, it is important to look
for solutions that can easily integrate with existing infrastructure.
For example, solutions exist today that can replace or be combined
with, existing mechanical hardware and connected to existing
onboard computers and controllers. In this case, the existing
user interface built into the kiosk can be used as the input device
for controlling access to the equipment.
There are five main criteria that kiosk designers and end users should assess when considering the value of using EAS.
Compliance. EAS provides the increased level of security
and access tracking that is called for by both the PCI DSS and
GDPR. These include strong access control measures, such as
assigning a unique ID to each person who could potentially access
cardholder data, and the ability to monitor and record access
over time for audit trail purposes.
Ease of integration. Since most stand-alone kiosks already
possess onboard digital systems and network connections that
require service staff to provide passwords and other credentials,
with the right solutions, adding EAS technology can be done inexpensively
and seamlessly.
Service staff access. If there are multiple service staff who
need to access that piece of equipment, managing and distributing
mechanical keys can be time consuming and present ongoing
security risks.
Remote access support. If an emergency or time-sensitive situation
arises where service staff needs to access the kiosk quickly,
getting them the physical key for the mechanical lock can be
problematic. EAS systems can support remote access, for example
by sending a time based digital key to the service person’s
smartphone for immediate access.
Aesthetics. Many kiosks are designed to be eye catching and
distinctive — and the presence of a mechanical lock can detract
from that designed appeal. Electronic locks can be easily concealed
and integrated into kiosk access panel designs. This also adds to
the physical security by concealing potential attack points.
Electronic Access for
Different User Needs
Today’s kiosks and self-service equipment often need more than
one type of electronic access solution to achieve the required level
of access control. For example, a kiosk that rents chargers for
electronic devices controls the renter’s access through a user interface,
such as a credit card reader or mobile device. The user
interface is connected to a controller that routes the signal to the
appropriate compartment lock.
Repair technicians and inventory managers have different access
requirements. Remote kiosks need to be accessed to restock
products or refill cash repositories, as well as for routine maintenance
and technician access when repairs are needed. Access
must be managed and tracked to maintain the physical integrity
of the kiosk and its contents. Owners may want to limit access by
service staff to specific areas of the kiosk. With electronic access
solutions, operators can remotely issue service technicians timebased
electronic credentials for specific compartments.
Another rapidly emerging application that EAS can help
support is industrial vending systems. This is a relatively new
standalone kiosk concept that is being developed for manufacturing
facilities to help improve their supply chain efficiencies
and lean operations.
Suppliers of components or materials for assembly will position
self-service kiosks on factory floors fully stocked with the
materials needed for manufacturing or assembly operations. The
manufacturing staff access the kiosk using RFID or other access
devices to remove parts or tools as needed. EAS provides the access
control and tracking so that staff only access the materials
they need for the specific task or production process they are assigned
to.
Through EAS, both the manufacturer and the distributor or
supplier gain access to real-time data about production, material
usage, tool usage and other information. The manufacturer can
track what parts or materials were withdrawn from the kiosk and
assign cost tracking to each finished product. The supplier can
incorporate the EAS data to efficiently manage inventory replenishment
so that only the parts or materials needed are on hand
when the manufacturer needs them for operation.
A Word About Design
Display and self-service kiosks use a full range of industrial design
techniques to create distinctive, branded units with immediate
visual appeal to the audiences they target. Unfortunately, it is
often the case that locking mechanisms required to secure these
kiosks aren’t addressed until late in the design process.
That desired appeal — the quintessential “high-tech” presence
— can be compromised when the locks chosen do not match
the overall aesthetic or the locking devices incorporated into the
design fail to operate effectively over the long-term which can ultimately
cause quality issues and negative customer experiences.
Self-service equipment manufacturers can avoid these issues
by making locking and access hardware selection a key part of
the design process early on. Southco has decades of experience
with engineering both mechanical and electronic access hardware
solutions to meet additional industrial design requirements. Solutions
exist today that can be adapted to work with existing electronic
systems to integrate smoothly into the kiosk’s design.
Looking Towards the Future
As stand-alone kiosks expand into new applications and incorporate
more sophisticated technologies, ensuring that this equipment
provides intuitive end user access while maintaining physical
security must become a fundamental part of kiosk design. By
incorporating electronic access solutions into kiosk designs early
on, manufacturers can save time and resources while satisfying the
physical security requirements and aesthetics of the overall design.
For operators of stand-alone kiosks who must remotely
manage routine access and maintenance, EAS provides a realtime
solution for controlling and tracking to whom, when and
for how long access is granted, protecting valuable self-service
equipment and its contents from the risk of theft. Digital, interactive
stand-alone kiosks provide an useful tool that millions of
people use and appreciate each day — and by making sure they
are safe and secure, their appeal and value
will continue to grow.
This article originally appeared in the January / February 2020 issue of Security Today.