What looks elegant on a PowerPoint slide becomes extremely ugly in airport operations.

The promise of CUSS (Common Use Self Service) has always been:

• shared hardware
• shared infrastructure
• shared application runtime
• multiple airlines on one kiosk
• reduced airport footprint
• lower CapEx

But the technical reality underneath is that CUSS effectively creates a shared trust and security ecosystem across airlines, airports, middleware providers, peripheral vendors, operating systems, and remote management layers.

That is where things get difficult.

The Hidden Technical Problem: Trust Stores & Certificates

At a high level, every modern kiosk transaction depends on chains of trust. Any good webmaster is very familiar with these items.

Think:

• HTTPS certificates
• TLS encryption
• device certificates
• signed executables
• browser trust stores
• payment terminal certificates
• VPN certificates
• airline web services
• API authentication
• baggage interfaces
• boarding pass validation
• biometric identity systems

In a proprietary airline kiosk stack, the airline controls nearly all of this.

In CUSS, the trust model becomes federated and shared.

That sounds efficient.

Operationally, it can become fragile.

Old HTTP vs HTTPS Analogy

Our comparison is actually very accurate.

Old web:

• Simple
• Open
• Minimal dependencies
• Fewer certificate failures
• Lower security

Modern HTTPS ecosystem:

• Certificate chains
• Root CA dependencies
• Browser enforcement
• TLS version compliance
• OCSP/CRL validation
• HSTS
• Cipher requirements
• Continuous updates

Now apply that complexity to:

• kiosks
• airports
• airline applications
• badge readers
• boarding pass printers
• passport scanners
• payment systems
• baggage drops
• biometric verification
• multiple airlines sharing the same endpoint

That is effectively what modern CUSS environments become.

Shared Trust Models Become Political

In proprietary kiosks:

Delta controls Delta.
United controls United.

Simple accountability.

In CUSS:

Who owns trust?

Possible stakeholders:

• airport authority
• SITA
• Amadeus
• airline IT
• kiosk OEM
• OS vendor
• payment provider
• security middleware vendor
• browser engine vendor

Now imagine:

• one expired certificate
• one outdated root CA
• one unsupported TLS version
• one revoked signing cert

Suddenly:

• boarding fails
• check-in fails
• payment fails
• bag tag printing fails
• biometrics fail

And every airline points at someone else.

Certificate Management at Scale

Airports may operate:

• hundreds of kiosks
• multiple terminals
• multiple airlines
• multiple VLANs
• multiple trust zones
• different OS versions
• different peripheral firmware levels

Now layer on:

• certificate expiration schedules
• intermediate CA rotations
• root trust updates
• code-signing renewals
• PCI key rotation
• TPM requirements
• secure boot validation

One missed update can create a cascading operational outage.

This is exactly the kind of issue enterprises increasingly hate.

Browser/Runtime Dependency Hell

Modern CUSS increasingly depends on:

• Chromium runtimes
• WebView frameworks
• browser security policies
• sandboxing
• JavaScript compatibility
• web APIs
• containerized components

The problem:
Browsers evolve fast.
Airports evolve slowly.

A kiosk deployment may remain operational for:

• 7 years
• 10 years
• sometimes longer

But Chromium security assumptions may change every few months.

Examples:

• deprecated TLS support
• removed root certificates
• stricter cookie enforcement
• cross-origin restrictions
• certificate pinning changes
• deprecated cryptographic algorithms

Suddenly:
the airline application that worked for years no longer works after a mandatory security update.

Middleware Coordination Is the Silent Killer

CUSS depends heavily on middleware abstraction.

That means:

• airline app
• device abstraction layer
• printer services
• scanner services
• payment services
• kiosk management platform
• OS security stack

All must coordinate perfectly.

One mismatch breaks the chain.

Example:

• Windows patch updates driver signing enforcement
• scanner middleware no longer trusted
• bag-tag printer stops enumerating
• airline app cannot detect peripheral

Passenger sees:
“Kiosk Out of Service”

Actual root cause:
certificate trust mismatch between middleware layers.

Security Patch Synchronization

This may be the single biggest operational problem.

Modern cybersecurity now assumes:

• continuous patching
• rapid vulnerability response
• zero-trust segmentation
• endpoint hardening
• least privilege
• signed code validation

But airports hate rapid change.

Because uptime matters more than novelty.

Now multiply this problem across:

• airports
• airlines
• CUSS providers
• kiosk vendors
• peripheral suppliers
• payment providers

A critical CVE may require:

• OS patch
• middleware patch
• browser patch
• device firmware patch
• certificate update

If even one layer lags:
the whole ecosystem becomes vulnerable or unstable.

Windows 10 EOL Is a Major Trigger

This is probably underestimated.

A massive percentage of deployed kiosks globally still rely on Windows 10 variants.

Windows 10 EOL forces decisions around:

• TPM requirements
• secure boot
• driver compatibility
• hardware acceleration
• kiosk lockdown tools
• certificate handling
• browser engine compatibility

Many older kiosks:

• technically still work
• but fail modern security assumptions

This creates a brutal economic question:

Do we:

1. retrofit?
2. virtualize?
3. isolate?
4. replace?
5. migrate to Linux?
6. abandon shared CUSS infrastructure?

Some airlines may decide:
“We already operate proprietary kiosks successfully. Why complicate this?”

PCI DSS 4.0 Changes the Equation

PCI Security Standards Council requirements increasingly emphasize:

• continuous monitoring
• stronger authentication
• tighter segmentation
• vulnerability management
• encrypted transmission
• software integrity

Shared environments are inherently harder to secure.

A proprietary airline kiosk:

• smaller attack surface
• fewer dependencies
• clearer ownership
• faster incident response

A shared CUSS environment:

• broader attack surface
• multiple tenants
• dependency sprawl
• harder segmentation
• harder forensic attribution

Security teams increasingly dislike this model.

Zero-Trust Architecture Conflicts With Shared Platforms

This is the deepest strategic issue.

Zero-trust philosophy says:

“Never trust shared environments.”

But CUSS fundamentally IS a shared environment.

Zero-trust prefers:

• identity-centric access
• segmentation
• isolated workloads
• application containment
• hardware attestation
• minimal lateral trust

CUSS historically evolved from:
“shared infrastructure is efficient.”

Modern cybersecurity says:
“shared infrastructure increases risk.”

Those two philosophies are colliding.

Why Airlines May Resist CUSS 2 Retrofits

Many airlines may quietly conclude:

“We gain little operationally but inherit major security complexity.”

Especially if they already have:

• mature proprietary kiosks
• cloud-managed fleets
• standardized peripherals
• centralized monitoring
• existing vendor contracts
• integrated loyalty/payment systems

Retrofitting into CUSS 2 means:

• revalidation
• recertification
• trust federation
• middleware testing
• peripheral interoperability testing
• security coordination with third parties

That is expensive.

And often politically difficult.

The Irony

CUSS originally solved fragmentation.

But modern cybersecurity and platform evolution may now make highly shared systems less attractive.

The industry trend elsewhere is actually toward:

• containerization
• workload isolation
• edge security
• device identity
• dedicated trust boundaries
• platform simplification

In other words:
the broader IT industry is moving AWAY from the architectural assumptions that originally made CUSS attractive.

That does not mean CUSS disappears.

But it may explain why adoption momentum can feel slower than the original vision suggested.

But non-working kiosks are intolerable. How to get around economically?

That is exactly the core issue. A failed self-service kiosk in an airport is not merely an “IT problem.”

It immediately becomes:

• queue congestion
• missed flights
• baggage delays
• staffing escalation
• gate pressure
• customer dissatisfaction
• operational disruption

In aviation, uptime is king.

That reality often overrides architectural elegance.

The economic question becomes:

“What architecture minimizes operational chaos at acceptable cost?”

Not:

“What architecture is theoretically most interoperable?”

And that is where the industry may be quietly pivoting.

The Real Economic Equation

Airlines and airports increasingly evaluate:

$$\text{Operational Risk}>\text{Hardware Savings}$$

CUSS originally promised:

• fewer kiosks
• shared hardware
• lower CapEx
• space efficiency

But modern complexity introduces:

• higher support burden
• more coordination
• certification overhead
• security synchronization
• troubleshooting ambiguity

A proprietary kiosk may cost more upfront.

But if it reduces outages by even a small percentage:
the operational savings can dwarf hardware costs.

One major outage during peak operations can cost enormous money.

Airlines Optimize for Predictability

Airlines generally prefer:

• boring
• stable
• controlled
• repeatable
• isolated

The same reason airlines resist rapid OS changes is why they may resist deep shared-platform dependencies.

A dedicated airline stack means:

• known hardware
• known software
• known certificates
• known peripherals
• known update cadence
• known rollback path

That has tremendous operational value.

Economically, the Industry Is Moving Toward Hybrid Models

This is probably the most likely long-term outcome.

Not:

• full proprietary
• full common-use

Instead:

“Managed isolation”

Examples:

• shared enclosure
• shared footprint
• shared airport management layer

BUT:

• isolated airline containers
• isolated certificates
• isolated runtimes
• isolated trust domains
• isolated update pipelines

Essentially:
physical sharing with logical separation.

That aligns much better with modern zero-trust thinking.

The Containerization Direction

Modern enterprise IT solved similar problems using:

• VMs
• containers
• workload isolation
• Kubernetes-style orchestration
• sandboxed runtimes

CUSS 2 may eventually evolve toward:

• airline-specific containers
• cryptographically isolated workloads
• independent certificate chains
• modular updates

Instead of:
“One giant shared trust ecosystem.”

This reduces blast radius.

If Airline A breaks:
Airline B still operates.

That is operationally critical.

Edge Management Is Becoming Central

The hidden shift in kiosks is that they increasingly behave like managed edge devices.

The future architecture likely includes:

• remote orchestration
• continuous health monitoring
• predictive maintenance
• certificate lifecycle automation
• automated rollback
• immutable OS images
• secure edge compute

In other words:
more like cloud infrastructure deployed physically at the edge.

This is where companies like:

• Intel
• Red Hat
• VMware
• Microsoft

have indirectly influenced kiosk architecture thinking.

The Winning Economic Strategy May Be “Controlled Standardization”

Not fully open.
Not fully proprietary.

Instead:

• standard hardware
• standardized APIs
• standardized peripherals
• standardized management

BUT:

• isolated applications
• isolated security domains
• airline-level operational control

This gives:

• operational stability
• easier certification
• lower downtime risk
• manageable security

without requiring every airline to completely surrender control.

Why Retrofit Economics Matter

This is where retrofit becomes extremely attractive.

Many airports already have:

• functioning enclosures
• peripherals
• mounts
• power
• networking
• scanners
• printers

The expensive part is often:

• certification
• integration
• software migration
• trust/security modernization

Thus:
adding:

• TPMs
• Edge AI accelerators
• modern management layers
• Linux migration
• containerized runtimes

may be far cheaper than total replacement.

This mirrors broader enterprise IT trends.

Airlines May Quietly Prefer “Private Common Use”

This may sound contradictory, but it is likely where the market heads.

Meaning:

• common-use physically
• proprietary logically

Example:
same kiosk hardware platform,
but:

• airline-specific runtime
• airline-specific certificates
• airline-specific cloud control
• airline-specific UX
• airline-specific release cycle

Passengers still perceive:
“shared airport kiosks.”

Operationally:
they are semi-isolated systems.

Why Linux May Gain Ground

Windows lifecycle churn is becoming economically painful for long-lived kiosks.

Linux offers:

• longer lifecycle control
• customizable trust stores
• smaller attack surface
• lower licensing costs
• stable embedded deployments

But Linux increases:

• integration burden
• support complexity
• driver coordination

Thus:
large sophisticated operators may adopt it,
while others remain Windows-centric.

The Harsh Reality

The cheapest architecture on paper is often the most expensive operationally.

Airport kiosks exist in:

• regulated environments
• high uptime environments
• public environments
• hostile cyber environments
• multi-vendor ecosystems

That combination punishes architectural fragility.

So the industry increasingly optimizes for:

• resilience
• rollback
• isolation
• observability
• lifecycle stability

rather than pure hardware-sharing efficiency.

The Big Strategic Insight

The future of airport kiosks may look less like:
“shared PCs”

and more like:
“secure edge appliances with orchestrated workloads.”

That is a fundamentally different philosophy than early CUSS assumptions.

And it may explain why:

• proprietary stacks remain strong
• airlines hesitate on retrofit mandates
• airports move cautiously
• vendors emphasize lifecycle management
• edge orchestration becomes strategic
• security architecture becomes central to procurement decisions

The kiosk itself is no longer the product.

The operational trust architecture is.