Re: That was certainly my understanding
Which would be how I would design it. [[However, for all intents and purposes a properly secured and managed VLAN setup is practically identical to separate cabling (no, on a proper setup, you can't just "pretend" to be on the secure VLAN even if you know what that is - any decent switch will refuse that, only allow certain ports to do that, override any VLAN setting (or absence of one) you try anyway, or demand RADIUS to authenticate to the other VLAN).]]
But in terms of modifications... why would you want them remotely-accessible from anything other than the central bank itself (and the computers controlling your centralised ATM network? Yeah, they shouldn't have Outlook on them), and why would you want to modify (say) denominations issued or present in the drawers? That stuff should be done by an engineer on-site (by definition, physically inside the bank, and usually when it's closed to the public).
Certainly it shouldn't be issuing out more than requested, giving money for free, or from accounts that don't have the funds (up to a set amount, possibly, in the case of complete disconnection from the network but to be honest, I would then say "Don't issue money at all but say "Out of Order" because you have no idea if it actually exists in the account at all"). Isn't that how ATMs are scammed across Europe - everyone clones a card, uses it at the same time in ten different countries, the foreign ATMs all "trust" it for a while and issue cash, and only realises 10 times the amount has been withdrawn from various countries but it took a little while to update them all and realise that? It always seemed a stupid design for me, and the reason that card machines dial-up to check the ACTUAL live status rather than hope there was credit and issue the goods/money.