PCI-
SSC in Access & Video Surveillance
The
Payment Card Industry Security Standards Council (PCI SSC) does not
mandate specific video surveillance requirements, but it does have general
physical security requirements that can be fulfilled through video surveillance
or other methods. PCI DSS Requirement 9.1.1 specifically states that
organizations must monitor physical access to sensitive areas using either
video cameras or access control mechanisms.
In this
era of widespread digital transactions, we cannot overstate the importance of PCI-SSC.
PCI-SSC serves as a guiding beacon, directing organizations toward the highest
levels of security when handling payment card information. By prioritizing and
adopting PCI-SSC standards, organizations can defend themselves against online
attacks and enhance the overall integrity and reliability of the global payment
ecosystem. The dedication of PCI-SSC to protecting the cornerstone of
contemporary commerce remains unwavering, even as technological improvements
continue.
What is PCI-SSC?
The
Payment Card Industry Security Standards Council is a global organization
founded in 2006 by credit card companies such as Visa, MasterCard, American
Express, Discover, and JCB. Its mission is to develop and improve security
standards for payment card transactions. The PCI-SSC is crucial in bringing
stakeholders from the payments industry to create and promote adopting data
security standards and resources. It is responsible for crafting and updating
the PCI Security Standards, guidelines that dictate how organizations must
protect cardholder data.
Compliance
with PCI-DSS is mandatory for all entities that handle credit cards,
encompassing those that accept, transmit, or store such information. To assist
organizations in meeting PCI-DSS requirements, the PCI-SSC offers a range of
resources, including training programs, assessment tools, and best practices.
The significance of PCI-SSC lies in its dedication to safeguarding cardholder
data from fraud and theft, aiding organizations in reducing the risk of data
breaches, and ensuring the security of their customers.
Role of PCI-SSC
1. Develop and Maintain the
PCI-DSS:
The
PCI-SSC actively develops and updates the PCI Data Security Standard (PCI-DSS),
outlining guidelines for safeguarding cardholder data. It ensures the PCI-DSS
remains current and addresses the latest security threats. The PCI-SSC actively
maintains and evolves the standards to meet the dynamic challenges of securing
payment card information.
2. Promote Awareness of
PCI-DSS Compliance:
The
PCI-SSC actively raises awareness about PCI-DSS compliance through its website,
social media, and public relations campaigns. Collaborating with industry
organizations, it strives to promote understanding and adherence to PCI-DSS
across various channels. The PCI-SSC engages in widespread efforts to highlight
and encourage compliance with PCI-DSS standards.
3. Assess Organizations for
PCI-DSS Compliance:
The
PCI-SSC does not directly assess organizations for PCI-DSS compliance. Instead,
it approves and supervises Qualified Security Assessors (QSAs) who conduct
PCI-DSS assessments. In essence, the PCI-SSC delegates the assessment process
to qualified professionals to ensure compliance with PCI-DSS standards.
4. Educate and Train
Organizations on the PCI-DSS:
The
PCI-SSC provides diverse training programs and resources to educate
organizations on complying with the PCI-DSS. These offerings encompass a broad
spectrum of subjects, including security requirements, assessment procedures,
and best practices, aiming to equip organizations with comprehensive knowledge
and skills. The PCI-SSC actively fosters education and training to implement
PCI-DSS guidelines effectively.
Importance of PCI-SSC
1. Protection Against Cyber
Threats:
In the
digital age, there’s been a concerning rise in cyber threats like data breaches
and identity theft. PCI-SSC serves as a safeguard by establishing and
maintaining security standards that businesses must follow, guaranteeing the
protection of sensitive payment information from potential threats.
2. The PCI-DSS is
Up-to-Date:
The
PCI-SSC actively updates the PCI-DSS to address the latest security threats,
ensuring that organizations employ the most effective security measures for
cardholder data protection. This ongoing process reflects the commitment to
staying ahead of evolving risks in the digital landscape. In essence,
organizations benefit from a current and robust framework to safeguard
sensitive information.
3. Facilitating PCI-DSS
Compliance:
The
PCI-SSC provides diverse resources, such as training programs, assessment
tools, and best practices, to assist organizations in complying with the
PCI-DSS. These offerings simplify the compliance process for organizations of
all sizes, ensuring accessibility and support in implementing PCI-DSS
guidelines.
4. Comprehensive Security
Framework:
PCI-SSC
establishes a comprehensive framework encompassing payment card security
aspects like network security, encryption, access controls, and regular
testing. This all-encompassing strategy ensures vulnerabilities are tackled
from various perspectives, establishing a solid defense mechanism against
potential breaches.
PCI DSS and Physical
Security:
PCI DSS
(Payment Card Industry Data Security Standard) includes requirements for
protecting physical access to areas where cardholder data is stored, processed,
or transmitted.
The PCI
standard requires, “either video cameras or access control mechanisms (or both)
to monitor individual physical access to sensitive areas,” which allows some flexibility.
“Sensitive areas” include:
“data
centers, server rooms, back-office rooms at retail locations, and any area that
concentrates or aggregates cardholder storage, processing, or transmission. . .
This excludes public-facing areas where only point-of-sale terminals are
present, such as the cashier areas in a retail store ”
Bottom
line: If your PCI compliance solution lacks relevant access control, then you
will need security cameras monitoring individual physical access to your
organization’s sensitive areas.
Requirement 9.1.1:
This
requirement focuses on monitoring physical access to sensitive areas, which
include data centers, server rooms, and other locations where cardholder data
is handled.
Video Surveillance as a
Solution:
Organizations
can use video cameras or other access control mechanisms (like keycard systems)
to meet this requirement.
Not a Requirement for
Footage Retention:
Importantly,
PCI DSS does not mandate a specific retention period for video surveillance
footage.
Focus on Access Control:
The
primary goal of these physical security measures is to prevent unauthorized
access to sensitive areas, thus protecting cardholder data.
Key considerations when
using security cameras for PCI compliance
Here are
four additional considerations specific to security cameras in the context of
PCI compliance:
- Regularly scheduled risk
assessments. A
full understanding of the security camera system, business environment,
and threat environment allows for any adjustments needed to maintain
compliance and continuously improve processes.
- Employee training &
awareness. Educating
employees about PCI compliance is essential to program success. Employees
who are aware can understand how their role can impact compliance and
support ongoing program success.
- Partnering with a vendor. A vendor that understands
PCI compliance using security cameras and that offers solutions can remove
the burden of program management from your staff, so you can focus on your
mission-critical activities. Vendors also have knowledge leadership in the
field that typically yields optimal program performance and results.
- Security cameras + access
control. A
hybrid solution provides the highest level of compliance and protection.
Seamless integration of access control with security cameras provides a
framework for full visibility and control of your security environment.
Can the video retention be
motion-based?
The PCI
standard does not specify whether security systems that utilize motion-based
video may be used. However, 24/7 recording with time stamps provides a
comprehensive, clear record of all entry and exit events in an area for access
control purposes.
The
advantage of motion-based recording is reduced costs for storage. The
disadvantages include false positives from background motion (passing cars,
blowing leaves, birds, etc.) and false negatives (cameras not activating to
record incidents). 24/7 recording avoids those disadvantages, while the
three-month requirement under PCI makes data storage costs manageable.
Maintaining compliance
Achieving
PCI compliance is simply the beginning. Maintaining compliance requires a
consistent, strategic commitment to an ongoing compliance program. The three
most important elements of an effective program are:
- Dedicate resources necessary to
continuously maintain compliance. This
includes commitments of people and technologies.
- Regularly assess & test the
information security environment. Implement
a framework to identify whether controls are working and enact appropriate
changes that support continuous improvement.
- Mature your vulnerability
management. Vulnerability
scans, patching, configuration management, passwords, and permissions
reviews are part of an ongoing program to understand and respond to
evolving vulnerabilities.
Ref:
1.
https://kirkpatrickprice.com/video/pci-requirement-9-1-1-use-either-video-cameras-access-control-mechanisms-monitor-individual-physical-access-sensitive-areas/
2.
https://www.getscw.com/knowledge-base/pci-compliance-doesn-t-need-90-days-of-footage#:~:text=PCI%20DSS%20has%20no%20specific,no%20requirements%20for%20footage%20retention.
3.
https://www.pcisecuritystandards.org/