Article on 2012 ADA regulations. With new ATMs (or relocated ATMs) voice guidance is mandatory for example.
By Cary Stemle
After watching independent ATM deployers get sued left and right over fee stickers (and feeling a little sting himself), Ron Fadel, an attorney-turned-IAD, sees a similar legal scenario taking shape as the critical date of March 15, 2012 quickly bears down on the ATM industry.
On that day, new Americans with Disabilities Act regulations, which have been coming down the pike since updated ADA guidelines were published in 2004, will finally become law. Fadel, who runs Avery Scott, an IAD in Louisville, Ky., sees his colleagues getting blindsided.
“I don’t know if you’ll get speculative people driving up and down the interstates checking for ADA compliance, but there are more things that can go wrong with ADA,” he said. “And no one I have talked to or read about gives me any indication they have a handle on it.”
One problem, said Jason Kuhn of Payment Alliance International, is that manufacturers began to modify ATMs to comply with the 2004 guidelines. But some guidelines were further modified, he said, leaving the machines’ ultimate compliance in doubt.
“The Department of Justice is pretty good about being intentionally vague,” Kuhn said.
Another problem is misinformation. Many IADs and banks believe they’ll be granted safe harbor across a wide range of issues and can avoid making widespread alterations by claiming financial hardship. But that’s simply untrue, Fadel said. The new law will cut some slack in narrow instances — for example, a machine that was installed by 2010 and met the original 1991 ADA guidelines pertaining to height and reach is grandfathered, as long as the machine stays where it is.
Relocate it, however, and the exemption is gone. And voice guidance is non-negotiable.
“If you don’t have voice guidance,” Kuhn said, “you are in a world of hurt. Voice guidance is an absolute requirement.”
Some of the misinformation is coming from parties who should know better, said ADA compliance expert Sam M. Ditzion, CEO of Tremont Capital Group Inc., an ATM industry consulting firm. He declined to name names, but said, “A large number of people in very prominent positions in the ATM industry are communicating inaccurate interpretations of the highly technical regulations to large numbers of IADs. It’s very, very dangerous and will likely lead to significant liability to many stakeholders in the industry.”
The price of ADA compliance
Kuhn noted that ATMs can often be modified to gain compliance — replacing a keypad, for example — but that will add up quickly, and there is a point when the cost-benefit analysis dictates replacing a machine. Many older machines, he said, will simply need to be retired.
Then there are the potential legal costs. Many insiders fear a repeat of the fee sticker lawsuits as advocacy groups find vulnerabilities and file class action lawsuits on behalf of all disabled people. Some state laws, Fadel said, will allow for large recoveries. Further, he said, the new regulations greatly expand who is protected by the ADA.
None of this is unforeseen, but because the new regulations are not quite actual law, Kuhn said, there’s never been anyone to sue. That will change in March. He and Fadel are often asked by customers who will be liable — for example, can an IAD be held responsible if a convenience store operator stages a crate of soft drinks in front of an ATM?
“The portions of the ADA that affect ATMs are not top of mind for someone who is worrying about having enough beer and cigarettes to sell for the weekend,” Kuhn said.
The short answer: It depends. Both men believe attorneys will sue everyone involved and let the courts sort it out.
Fadel understands that; he paid an attorney $5,000 to answer a fee sticker lawsuit. The suit was dismissed. He has reworked his contracts to hold him harmless in the event of an ADA lawsuit prompted by the actions of his clients.
“It’s not just the threat of suits, but also the hundreds of thousands of dollars in attorneys’ fees to begin addressing a suit,” Ditzion said. “It can get extremely expensive very quickly.”
Kuhn said his company is working hard to educate its market partners. It has trained its sales force to become ADA experts, issued a white paper and established a forum on its website, which he said has gotten quite active.
As a service to readers we've now included direct links to relevant standards organizations and regulations. Do you ever wonder what the difference between EMV Level 1 and Level 2 is? Just who exactly has PCI certified Validated Payment Applications? They are now easy to get to on the right resource panel now. For reference more in-depth articles on those particular subjects are located on the Kiosk Industry Groupwww.gokiosk.net.
Marrying eco-conscientiousness with business IT practices can save both money and the environment?
The bottom line rules
At this early stage in the green IT game, it's hard to make definitive statements, because strategies are still being formulated by vendors and users. This is highlighted by the results of a May 2007 Forrester survey of 124 IT managers and procurement professionals in North America and Europe.
The report, entitled Tapping Buyers' Growing Interest in Green IT, notes that while 85% of respondents said that environmental factors are important in planning IT operations, only one quarter said they have written green criteria into their companies' purchasing processes.
In the end, of course, it all boils down to the bottom line. As one survey respondent declared, "We would do green because it makes business sense, not because it's green. It would have to show cost savings."
The report's author, Christopher Mines, notes: "We heard two reasons why green matters: efficiency and corporate responsibility. Most IT decision-makers told us that a green purchase would only happen in the context of cost reduction. These are hard-headed, ROI-driven business decisions."
Nice article on status of PCI compliance and how retailers and Visa stand in relation. This situation is beginning to be compounded in complexity by the issuing of stored value cards (Subway noted in sub-article). Storing full data from the magnetic stripe card is still considered the most dangerous offense.
Retailers Not Exactly Where Visa Wants Them to Be
By Evan Schuman, Ziff Davis Internet
July 31, 2007
When Visa on July 30 released its latest PCI compliance statistics, it showed small but steady progress, with slight increases in most areas. But it also showed that there is still a small handful of major retailers who are still retaining prohibited credit card information.
Visa stressed in its statement that the vast majority (96 percent) of Level 1 and Level 2 merchants—a category including virtually all of the nation's largest retailers—have written to Visa that "they are not storing sensitive account data" including credit card security codes and PINs.
But given that Visa has said that there are 1,057 retailers in that group (327 Level 1 U.S. retailers and 730 Level 2 retailers), that four percent suggests that about 42 major retail chains aren't even claiming that they've stopped retaining that data. Visa estimates that the 96 percent relates roughly equally to both groups, suggesting about 13 retailers in the Level 1 group (with the very largest retailers) and about 29 in the Level 2 group.
Gartner security analyst Avivah Litan expressed particular concern about the Level 1 retailers who are still retaining the prohibited data. "Even if it's just 13, that's way too many," Litan said, adding that if 13 are saying that they still retain the prohibited data, the actual number of retailers who are doing so is likely much higher.
Of all of the PCI security areas (including encryption, wireless detection methods, not retaining old transaction data, etc.), Litan argues that Visa considers retention of prohibited data to be the most serious. "That’s the data the banks really care about," Litan said. "If the crook steals the data from the [magnetic] stripe, they can make a perfect card."
Litan said that when she met with Visa officials in October 2006, they reported that only three retailers were then saying they were still storing the data, which is less than one third the number apparently reporting that today.
“We know that merchants that store full magnetic-stripe data expose themselves to risk exponentially,” said Michael E. Smith, senior vice president of Enterprise Risk and Compliance at Visa USA, in the Visa statement. “By removing prohibited data from their payment systems, large and small businesses alike are denying hackers the data they covet for use in counterfeiting payment cards and are thus making their businesses and the payments system more secure.”
Why are some major retailers still holding onto this information, which likely is of little to no marketing or analytical value to them? "In the merchants' defense, it's very costly to change their systems," Litan said. "For a Level 1 retailer with 500—and sometimes 10,000—store locations, it's not that simple to change POS systems."
Eduardo Perez, vice president, payment systems risk, Visa USA, agreed that cost can be a key factor. "It can require notable resources to change or upgrade payment applications," Perez said. "It can pose some notable challenges."
But he saw the usage of some non-compliant payment applications as a much bigger culprit, which is why Visa has distributed names of those ISVs to key retailers. Visa has refused to identify those ISVs because they fear that doing so might help cyber thieves zero in on those customers.
"It's the payment application that is causing the merchant to store track data," Perez said.
There's also the distinct possibility the numbers might be far worse. The Visa statement suggested that the percents referenced came from retailer declarations to Visa, as opposed to audit results. If that's the case, the question isn't actually getting at whether the retailer stores the prohibited as much as whether the person filling out the form believes the data is being retained.
The complicated enterprise networks today allows many copies of these numbers to be scattered in various departments: store operations, marketing, IT, accounting, etc. This raises the question of whether copies of the prohibited data aren't floating around somewhere, well beyond the knowledge of the IT manager filling out the form.
"How do they know they’re not? If you were to ask me, 'Are your doors locked?', I'd say 'Of course they are.' That is, until I find one that isn't," said Mark Rasch, a legal security consultant with FTI Consulting and the former head of the U.S. Justice Department's high-tech crimes unit. "This is the equivalent of going out to the top 100 companies and asking, 'Are you violating any securities laws?'"
eWEEK.com Special Report: Protecting Data
Visa also released on Monday the latest compliance numbers for its Payment Card Industry Data Security Standard (PCI DSS), which showed slow but steady improvements in all areas. These results are based on audited results.
Level 1 includes any merchant processing more than 6 million Visa transactions per year, regardless of volume or acceptance channel. Level 2 includes any merchant that processes 1 million to 6 million Visa transactions per year, regardless of acceptance channel. Level 3 are retailers that process 20,000 to 1 million Visa e-commerce transactions per year and Level 4 includes any merchant processing fewer than 20,000 Visa e-commerce transactions per year as well as all other merchants processing as many as 1 million Visa transactions per year.
The figures for July showed that 40 percent of Level 1 retailers were compliant, that's up from the 35 percent compliance rate for that group that Visa reported in May 2007. In May 2006, the compliance rate for that group was 18 percent.
The new July 2007 figures for Level 1 retailers showed that an additional 50 percent have pledged to repair security holes, a process known as filing a ROC (Report On Compliance).
Back in May, Visa reported that 51 percent had been involved in the ROC stage, a slight one percent increase that is more than made up for by the increase in actually compliant Level 1 retailers. That July figure leaves 10 percent that are neither compliant nor pledging to be compliant, a sharp drop from the 14 percent Visa reported in May.
With the somewhat smaller Level 2 retailers, the July figures showed a 33 percent compliance rate—up from 26 percent in May—and the smaller Level 3 retailers showed 52 percent compliance, just slightly up from the 51 percent that Visa reported for that group in May.
Visa didn't release any figures for its Level 4 retailers, but Visa's Perez said, "We know that compliance is low." Visa is expecting to have more specific numbers for that group soon.
Compliance with HIPAA requires complete audit trail of who accessed what info on any PC regardless of application.
(January 12, 2004) Weiner Memorial Medical Center in Marshall, Minn., will implement audit trail software to track all activity on personal computers in the 113-bed facility. The technology from Kirkland, Wash.-based TrueActive Software is part of Weiner Memorial's compliance with HIPAA privacy and security rules, says Marc Mattson, network consultant at the hospital. The software will give a complete audit trail of who has accessed what information on any PC regardless of the application, he adds. Terms of the contract were not disclosed.
The Association for Retail Technology Standards (ARTS) of the National Retail Federation is a retailer-driven membership organization dedicated to creating an international, barrier-free technology environment for retailers. One of which is UnifiedPOS.
Think about a wireless LAN with enough throughput to match your switched Ethernet infrastructure.
That's what the IEEE is thinking about.
Last week, the international standards group launched a working group charged with crafting changes to the 802.11 WLAN standard so that these networks would deliver at least 100 M bit/sec. That number is throughput -- what users see when they transfer a file -- as distinct from the data rate, which is the raw speed before you subtract the overhead associated with the protocol.
In the case of 802.11, the overhead adds up to a whole lot, typically more than half of the data rate. An 802.11b access point, rated at 11 M bit/sec, typically gives a throughput of less than 6 M bit/sec. The 802.11a and 802.11g hardware can give users about 18 M to 22 M bit/sec. The data rate for both is 54 M bit/sec.
Silicon makers have boosted WLAN throughput to about 100 M bit/sec. The catch is that you have to have the same chips in both the client and the access point, and high throughput sacrifices conformity to the 802.11 specification. Atheros Communications, the first vendor with a 54 M bit/sec 802.11a chipset, markets CMOS chips that support what it calls "Super G" and "Super A/G" -- proprietary boosts of up to 100 M bit/sec throughput.
Atheros plans to contribute these and other technologies to the 802.11n task group, as it's called in IEEE terms. "The greatest challenge will be to deliver higher performance while reducing power and cost," says Craig Barratt, Atheros president and CEO.
A reason to embrace wireless technologies is that high-throughput WLANs will eliminate cabling costs. That's only true of the wires needed to connect clients to wiring closets. WLAN access points need to link via Ethernet cable to wiring closet switches.
Network executives already seem to be discounting high-throughput claims that are based on their WLAN experience. "Unless you are sitting right under the access point, you just don't get the maximum throughput," says Dewitt Latimer, deputy CIO and CTO at the University of Notre Dame in South Bend, Ind.
WLAN throughput falls off the farther a client device moves from an access point. The drop depends on how much metal, wood, concrete and other construction materials is between the two devices. In almost every case today an access point is a shared medium: Whatever throughput it can deliver is divvied up among the users connected to that access point.
"Most practical applications, such as three students sitting under a tree working on a paper [with wireless notebooks], tend to be insensitive to bandwidth. I don't think high-throughput WLANs will be a big driver until we see things like streaming media applications being untethered," he says.
The 802.11n task group's first order of business will be to define a group of application scenarios, describing how the high-throughput technology will be used. In turn, these become the basis for evaluating and comparing what's expected to be several technologies contributed by different vendors, according to Brian Mathews, publicity chair for the IEEE 802.11 Work Group that oversees this standards work.
The ISO 9000 and ISO 14000 families are among ISO's most widely known and successful standards ever. ISO 9000 has become an international reference for quality requirements in business to business dealings, and ISO 14000 looks set to achieve at least as much, if not more, in helping organizations to meet their environmental challenges.
KIS is ISO-9001 certifed.
UL Certification is a very important standard for public use self-service terminals and kiosks.
All KIS products are designed to UL specifications. We are authorized and can perform UL certification on new custom models on our premises.
Growing numbers of retailers are scoping out Java-based point-of-sale (POS) systems as one option to replace their aging cash registers.
KIS supports JavaPOS and has developed and can provide driver support for our products.
Common Use Self Service (CUSS) describes the specifications and standards for multiple airlines sharing one physical self-service Kiosk. Member airlines will develop a Common Use Self-Service Platform to include, but not be limited to, check-in functionality. Future developments may include other functions, both business and technical.
Olea provides a CUSS-compliant product. Technical details, specifications and CUSS-standards as currently formulated are available upon request, or by visiting our private site.