Elevator Surveillance Guide

 Elevator Surveillance Guide

Installing surveillance in an elevator can be challenging. Small but wide areas, vandal resistance, and transmission methods all present challenges not found in other areas cameras are installed. In this note, we look at:

• Form factor: Box vs. dome vs. specialty
• Resolution: How much is necessary?
• Transmission: Wired vs. wireless vs laser methods
• Dealing with electrical contractors

Form Factor

The first decision to make when considering elevator cameras is form factor. Minidome and corner mount are the two most common options in use as they most compact compared to box, bullet, or full sized dome cameras. Other form factors, such as box or bullet may be more easily tampered with due to the low ceiling height of the elevators, and more easily knocked out of position.

Minidome

The key advantage to minidomes is camera choice, as most manufacturers offer cameras in this form factor, with numerous resolution and lens options. These options are not generally seen in corner mount cameras.

However, they are more obtrusive than many corner mount housings, and do not blend into the interior of the elevator as well. Where aesthetics are the key concern, domes may not be preferred.

Corner Mount

This type of mount places the camera in a roughly triangular housing made to cover one of the elevator's corners. Some are sold as unitized housing/camera packages, while other manufacturers sell housings meant to accept a box camera. Size and appearance varies depending on manufacturer:

They key drawback to corner mount cameras is limited availability. Most manufacturers do not offer corner mount options, and those that do typically only offer one or two models, with limited resolution and lens choices. Larger corner housings built for box cameras add more flexibility, but are larger and more obtrusive.

Field of View/Resolution

Given elevators' small size, generally under 10' wide, users typically choose to cover the full car instead of just the doors. This gives them not only the opportunity to view comings and goings, tracking subjects throughout a facitity, but to view potential incidents in the elevator, as well. However, care should be taken that pixels per foot (PPF) does not drop below acceptable levels for recognition if no other cameras will provide facial shots of subjects, e.g. lobby and hallway cameras.

For example, using an actual 103° field of view from an elevator camera with Camera Calculator, we can see the difference between VGA, 720p, and 1080p in a typical 8x8' elevator. Estimating ~9' to target to reliably capture subjects as they enter through the elevator doors, 720p provides 56 PPF in this scene. This is likely enough to provide identification quality video under good lighting. VGA provides only 28 PPF, too low for recognition, while 1080p provides 85, more than enough.

Mounting Height

Since most people look down while walking, and criminals may actively avoid cameras, mounting height in elevators should be carefully considered for the best chance of capture. As we found cameras are typically best mounted as low as possible, with ~8' being a "sweet spot", better able to see those with heads down or hats on while also see over subjects beneath the camera.

This image shows the effects of mounting height and the subject's face angle, displaying the difference in capture quality at various mounting heights with the subject's face level as well as tilted down.

Signal Transmission

Once the camera has been selected, installers must decide how signal will be carried from the elevator. There are three typical options for this:

• Traveler cable
• RF wireless
• Optical laser

Traveler Cable

Connections between the elevator car and the machine room for power and signal are made via a specialized traveler cable. This cable is attached to the car, typically to the bottom, and to the top or center of the shaft. The construction of this cable varies, but it typically contains multiple twisted pair conductors for power and control, and possibly a UTP or coaxial cable for video. 

This image shows cross-sections of various flat traveler cables:

Generally speaking, since these cables are often attached to the top of the shaft, making the cable approximately twice the height of the shaft, UTP is not a usable solution for Ethernet. Buildings of 12-14 stories can easily have a 300' traveling cable, which exceeds the maximum distance category cables can be run, before even considering horizontal runs to an equipment room or IDF. In low-rise buildings, UTP may be an option, however. Fiber-optic and coaxial cables may be considered otherwise.

RF Wireless

The second option is to opt for wireless connectivity, utilizing a pair of wireless APs between the car and bottom or top of shaft. Both are used in practice, with the bottom of the shaft generally chosen for easier servicing. In this case, local power must be obtained from the car, which may involve the elevator contractor. Power is readily available, however, due to lights and air conditioning installed in the car.

Wireless eliminates the issue of necessary conductors in the traveler cable, but presents challenges of its own. Cables and conduits located in the elevator shaft may cause interference, making wireless connectivity unreliable. Very narrow beamwidth antennas may be used to compensate for this, but antenna alignment must be carefully set and maintained over time.

Optical Wireless

Optical wireless uses a pair of laser transceivers, one mounted to the car, the other in the shaft, to send/receive data. This is specified to handle elevator shafts up to 75 floors.

Optical product performance is degraded by dust, dirt, and other debris which may fall in the elevator shaft and as such should be cleaned regularly.

Dealing With Elevator Contractors

Normally, most facilities maintain service contracts with an elevator contractor, since the elevator must undergo routine maintenance. These contractors may be difficult to deal with, as a number of users have shared. They are often hesitant to modify existing traveling cables for new services, simply because it complicates (however slightly) their routine maintenance of the elevator with a system outside their control. If the traveling cable is insufficient to add video, installing a new cable is, most times, cost prohibitive, and may remove the elevator from service for several days. Both of these add up to expenses users may not wish to incur.

To avoid the coordination and expense required to have the elevator vendor add video to a car, users and integrators may attempt to add their own cable to the car. There are two things to be aware of in this case: 

• Third parties attempting to modify the cable without the contractor's permission will void warranties and service contracts in most cases. Even leaving existing cables alone and simply zip-tying a new UTP cable to it may be frowned upon.
• According to NEC code, hoistway cables must be listed for use in these applications, and be of type E. Standard UTP, fiber, and coaxial cables do not meet these requirements.

 

Before Buying Intrusion Alarm System

Before Buying Intrusion Alarm System 

This is a short note on Intrusion or Burglar alarm system. A burglar alarm system is not something you shop for regularly. That’s because it’s an important purchase for your business that is meant to last — so make sure you have the best. While you can always upgrade as new technology is released, you still need to trust that your alarm system will work when it needs to.

In terms of cost, a high-quality alarm system can be expensive but it is an investment that provides peace of mind.

The system charges are generally separate from the monthly subscription costs besides the installation fees. While there is a lot to learn about alarm systems, it’s important to first learn which one would be the best fit for your home by reaching out to the professionals and asking the right questions.

Here are three questions you need to ask before deciding on which home alarm system is right for your home or your small offices:

Question #1: Accreditation?
The first question you should ask is to make sure that the company has the required accreditations to perform the service. There are a lot of companies who claim they have all the required levels of accreditations, but that might not be true. If they are able to produce some level of documentation that could authenticate that, it can’t get much better than that.

Question #2: Type of System?
The second question to ask is the type of system that is best for your business. Some homes are configured for both wired and wireless security systems while some are not. Hence, you need to be sure about it and avoid settling for a type of connection that is not already configured at your facility.

Question #3: How Much?
The most important question to ask is the cost associated with the total installation. Some companies offer incentives like free installation while others may offer discounts on monthly subscriptions.

Since there are so many types of commercial alarm systems available on the market, that suits your needs and your budget; just because a provider promises you the best, doesn’t mean and could be more effective doesn’t mean you necessarily need it.

Question #4: Installation by whom?
This is another most important questing to ask installation, testing & training of system that is best for your business. Both wired and wireless security systems recommended to involve certified installer. Non-certified experienced person may share password and backdoor entry details with hacker and connection that is not already configured correctly as per your needs.

Hopefully, this post has provided you with the information you can use to determine if you going to install. If you’re not sure, SSA Integrate can help. We have Texecom Certified (Level 3) Intrusion experts that can help you determine the best solution to meet your security needs while keeping you compliant with all the relevant codes. Contact SSA Integrate today to learn more.

Police stations must have functional CCTV cameras

Police stations must have functional CCTV cameras

The premier investigating agencies comes under the scanner of CCTV. The Supreme Court today (December 2, 2020) directed Centre to install CCTV cameras and recording equipment in the offices of Central Bureau of Investigation (CBI), National Investigating Agency (NIA), Enforcement Directorate (ED), Narcotics Control Bureau (NCB), Department of Revenue Intelligence (DRI), Serious Fraud Investigating Office (SFIO) & any other agency which carries out interrogation and has power of arrest.

Supreme Court through its judgement dated December 02nd, 2020 emphasized the pressing need for all State Police Forces to implement IP based CCTV surveillance system in each police station of the state / UT in order to prevent unlawful activities, ensuring safety of its citizens and also to efficiently deal with the cases involving allegations of torture in custody.

The Supreme Court has passed directions for constitution of “Oversight Committees” at the State (State Level Oversight Committee) and District (District Level Oversight Committee) level for ongoing installation and maintenance of CCTVs in Police Stations across all UTs and States while it directed Finance Departments of all UTs and States to allocate fund for it. 

The State Level Oversight Committee must consist of:

(i) The Secretary/Additional Secretary, Home Department;

(ii) Secretary/Additional Secretary, Finance Department;

(iii) The Director General/Inspector General of Police; and

(iv) The Chairperson/member of the State Women’s Commission.

So far as the District Level Oversight Committee is concerned, this should comprise of:

(i) The Divisional Commissioner/ Commissioner of Divisions/ Regional Commissioner/ Revenue Commissioner Division of the District (by whatever name called);

(ii) The District Magistrate of the District;

(iii) A Superintendent of Police of that District; and

(iv) A mayor of a municipality within the District/ a Head of the Zilla Panchayat in rural areas.

Salient features of Supreme Court Judgement in respect of CCTV surveillance of all Police Stations in the country.

• CCTV cameras should be installed at each and every Police Station and no part of a Police Station should be left uncovered, it is imperative to ensure that CCTV cameras are installed at following locations:
  Entry and exit points, Main gate of the police station, All lock-ups, All corridors, lobby/the reception area, All verandas/outhouses, Inspector’s room, Sub-Inspector’s room, Areas outside the lock-up room, Station hall, In front of the police station compound, Outside (not inside) washrooms/toilets, Duty Officer’s room, Back part of the police station etc.
• CCTVs shall also be installed in all the offices where interrogation and holding of accused takes place in the same manner as it would in a police station
• CCTV systems that have to be installed must be equipped with night vision and must necessarily consist of audio as well as video footage.
• In areas where there is either no electricity and/or internet, it shall be the duty of the States/Union Territories to provide the same as expeditiously as possible using any mode of providing electricity, including solar/wind power.
• The internet systems should support clear image resolutions and audio.
• CCTV camera footages should be preserved for a maximum possible period up to 18 months but not lesser than 12 months
• An oversight mechanism should be created whereby an independent committee can study the CCTV camera footages and periodically publish a report of its observations thereon.
• The District Level Oversight Committee shall have the following obligations:
• Health Monitoring and reporting of the CCTV systems
• To review footage stored from CCTVs in the various Police Stations to check for any human rights violation that may have occurred but are not reported
• The Commission/Court can immediately summon CCTV camera footage in relation to the complaint of any incident for its safe keeping, which may then be made available to an investigation agency in order to further process the complaint made to it.
• Posters at the entrance and inside of police station informing about the coverage of premises by CCTV, their privilege to file complaint to given authorities in case of any human rights violations inside the premises

The Government of Bihar has taken a huge step forward in its efforts to introduce transparency in the functioning of the police forces in the state. The Bihar State Electronics Development Corporation Ltd (BELTRON) has recently completed an ambitious project to bring the police stations of the state under 24×7 CCTV surveillance. More than 10,000 IP based CCTV cameras have been installed at over 900 police stations of Bihar. The project initiated and funded by the Home Department, Government of Bihar aims to fulfill the mandate of the Hon’ble Supreme Court to bring all police stations of the country under constant CCTV surveillance to protect human rights and prevent the use of torture in detention. The project was awarded to TATA Advanced Systems Ltd, one of India’s leading Physical & Cyber Security firms through a competitive bidding process at a cost of Rs 168 crores including operation and maintenance support for 5 years. Mr. C P Kariappa, Vice President, Tata Advanced Systems said “At TASL we have always taken pride in executing projects that build the nation, it was a prestigious project to be completed in challenging timeline across the state. Our teams could meet the expectations of customer despite disruptions due to flood and Covid-19”. The entire surveillance system is powered by Solar and online UPS to ensure 24X7 operations even if there is disruption in power supply. Mr. Kariappa further said “It was a pleasure working with Home Department, Govt of Bihar, Bihar Police and Beltron; this would not have been possible without their active participation and support. Also, we had an excellent team and partner ecosystem that lived up to all the challenges that was faced during the execution period”.

Bihar Government has plans to upgrade the existing system in line with the directions given by the Supreme Court and also extend it to the remaining police stations including outposts in the near future.

(2018) 5 SCC 311, directed that a Central Oversight Body be set up by the Ministry of Home Affairs to implement the plan of action with respect to the use of videography in the crime scene during the investigation. While considering the directions issued in D.K. Basu Vs. State of West Bengal & Others (2015) 8 SCC 744, it had held that there was a need for further directions that in every State an oversight mechanism be created whereby an independent committee can study the CCTV camera footages and periodically publish a report of its observations thereon. The COB was further directed to issue appropriate instructions in this regard at the earliest.

The Ministry of Home Affairs had constituted the Central Oversight Committee to oversee the implementation of the use of photography and videography in the crime scene by the State / Union Territory Government and other Central Agencies, to suggest the possibility of setting up a Central Server for implementation of videography, and to issue appropriate directions so as to ensure that use of videography becomes a reality in a phased manner.

The Court on 16/07/2020 had issued further notice to the MHA on the question of audio-video recordings of Section 161 CrPC statements as is provided by Section 161 (3) proviso, as well as the larger question as to installation of CCTV cameras in police stations generally. After which, action taken report was filed by 14 States till 24/11/2020, namely, West Bengal, Chhattisgarh, Tamil Nadu, Punjab, Nagaland, Karnataka, Tripura, Uttar Pradesh, Assam, Sikkim, Mizoram, Madhya Pradesh, Meghalaya, Manipur; and 2 Union Territories, namely, Andaman & Nicobar Islands and Puducherry.

The Court noted that the majority of the Compliance Affidavits and Action Taken Reports fail to disclose the exact position of CCTV cameras qua each Police Station. Further, it noted that the position qua constitution of Oversight Committees in accordance with the Order dated 03.04.2018, and/or details with respect to the Oversight Committees already constituted in the respective States and Union Territory have also not been disclosed.

Accordingly, the Supreme Court has passed the direction for filing of the Compliance affidavits by all the States and Union Territories by either the Principal Secretary of the State or the Secretary, Home Department of the States/Union Territories. “These affidavits are to be filed within a period of six weeks from today,” it said.

The Supreme Court has passed the slew of directions;

The Director General/Inspector General of Police of each State and Union Territory should issue directions to the person in charge of a Police Station to entrust the SHO of the concerned Police Station with the responsibility of assessing the working condition of the CCTV cameras installed in the police station and also to take corrective action to restore the functioning of all non-functional CCTV cameras. The SHO should also be made responsible for CCTV data maintenance, backup of data, fault rectification etc.

The State and Union Territory Governments should ensure that CCTV cameras are installed in each and every Police Station functioning in the respective State and/or Union Territory. Further, in order to ensure that no part of a Police Station is left uncovered, it is imperative to ensure that CCTV cameras are installed at all entry and exit points; main gate of the police station; all lock-ups; all corridors; lobby/the reception area; all verandas/outhouses, Inspector’s room; Sub-Inspector’s room; areas outside the lock-up room; station hall; in front of the police station compound; outside (not inside) washrooms/toilets; Duty Officer’s room; back part of the police station etc.

CCTV systems that have to be installed must be equipped with night vision and must necessarily consist of audio as well as video footage. In areas in which there is either no electricity and/or internet, it shall be the duty of the States/Union Territories to provide the same as expeditiously as possible using any mode of providing electricity, including solar/wind power. If the recording equipment, available in the market today, does not have the capacity to keep the recording for 18 months but for a lesser period of time, it shall be mandatory for all States, Union Territories and the Central Government to purchase one which allows storage for the maximum period possible, and, in any case, not below 1 year. It is also made clear that this will be reviewed by all the States so as to purchase equipment which is able to store the data for 18 months as soon as it is commercially available in the market. The affidavit of compliance to be filed by all States and Union Territories and Central Government shall clearly indicate that the best equipment available as of date has been purchased.

The Madhya Pradesh High Court while hearing a plea against alleged unlawful detention of the Petitioner by local Police authorities in the state, made prima facie observation that in order to escape liability, the Police often take a false stand that the CCTVs installed at Police station are not functioning. This Court feels prima facie that in order to cover up instances of unlawful detention by the police, the police comes up with the argument that the CCTV cameras are dysfunctional,” observed a Bench of Justice Atul Sreedharan.

It added that such a stand taken by the Police does not augur well for the ordinary citizens of the State as it creates an environment of giving an opportunity to the Police to act with impunity in complete disregard to human rights and personal liberty and enables them to detain anyone in the police station and conveniently give an explanation that the CCTV cameras were disfunctional during the period which the citizen says that he was unlaw detainer in the police station.

The remarks were made after the Court noted contradictions in the statements made by the local Police and by the Prosecutor, regarding reasons for not furnishing CCTV footage of the alleged date of detention. The former claimed that CCTV footage cannot be given as the cameras are not functioning since February 17. The prosecutor on the other hand submitted that the CCTV footage of the said period cannot be shown to the petitioner as that would reveal the identity of the source informant.

The facts of the petitioner’s case reveal a very shocking state of affairs in the State of Madhya Pradesh,” the Bench remarked while expressing surprise at the contrary stance. It noted that the prosecutor’s excuse for not giving the footage logically means that the CCTV cameras were functioning and there was indeed footage. But the police on the other hand claimed that the cameras themselves had turned dysfunctional from February, 2021.

In these circumstances, the Bench noted that the case discloses a larger issue and it has therefore summoned DIG- Bhopal (Urban), and SP (South Bhopal) on the next date of hearing, through video conferencing. They have been asked to come up with an explanation as to why the cameras were dysfunctional from 17.2.2021, whether the authorities who had to be informed about the dysfunctionality of the cameras were duly so informed by the SHO of PS Piplan, Bhopal and if they were so informed, what were the steps taken forthwith by those officials to have the cameras rectified in the shortest possible time.

Ref: 

https://www.isrmag.com/supreme-court-directive-to-implement-cctvs-in-all-police-stations-across-india/
https://www.scconline.com/blog/post/2020/12/02/sc-directs-all-states-uts-to-install-cctv-cameras-in-all-police-station-read-how-cctv-cameras-will-help-curb-custodial-violence/

The end of DVR in Video Surveillance

The end of DVR in Video Surveillance 

People are moving away from outdated DVRs in analog CCTV world to a more standardized and scalable IP video storage environment. The trends which are paving way for the demise of DVR in video surveillance field are as follows-

Edge Storage significance- People are nowadays going with the best available technology for their surveillance needs and are showing a lot of interest on edge based surveillance cameras. For this reason, IP camera vendors are getting busy in increasing the storage capacity of their SD/MicroSD Card driven network cameras. In next five years, there is a possibility that IP cameras with 1TB on-board video storage will be available to serve the purpose of Edge based video surveillance. There is a leeway that these edge storage enabled cameras can be used as standalone surveillance devices or in conjugation with a centrally located video storage solution, in order to achieve failover redundancy.

Network Attached Storage high availability will also play a vital role in the demise of the DVR. Interestingly, this deployment can be used in conjugation as a standalone archiving solution or in conjugation with an edge based network device. In case of small surveillance projects, both SD card and NAS storage systems will be good deployment solutions. Usually, these solutions will be a perfect match to analog technology deployment standards employed in retail stores or in offices.

Lower cost per Gigabyte of storage drives is the next trend which may pave way for the death of DVR. IT sector will find a strong focus from big data manufacturers on physical security and its associated video management system plus video analytics. The need for longer video storage periods and higher quality of video will also increase the need of higher storage capacity devices. People will then have the flexibility to just dump the appliance and go with reference architecture from the server manufacture. Again this centralized storage approach will also pair up with edge or intermediary secondary storage such as decentralized cameras, which are a perfect solution in environments where failover and bandwidth issues remain as main criterion.

Migration to cloud by IT sector will also pave way for the demise of DVR, as hosted video surveillance services will be on high demand. With existing partnerships in between software, camera hardware and cloud service providers getting strong; a fast, easily accessible and scalable solution for network video will be on high demand. Multi-location gas stations, retail sectors and quick server organizations have already become patrons of cloud based video surveillance storage. Seeing the secure central access enabled video approach, many large and mid-range organizations which have operations in geographically separated environments will go for cloud approach. As cloud based video surveillance cuts down the number of IT staff, its craze will double up by end of 2021.

So, presently for the above said reasons, the demise of DVR can predicted for sure. Feel free to speak up your mind on the said trends and let us know your opinion on DVRs existence in future of video surveillance.

H.264 vs H.265 vs H.266

 H.264 vs H.265 vs H.266

The most popular video codec right now is the H.264 standard since almost all media devices support it. Even video platforms on the web can’t help but add support for this codec, and for good reasons. YouTube, despite having its own, is beholden to H.264, and this won’t change for years to come.

Now, we do not expect it to be the top dog forever as more competitors come on the scene in hopes to replace it. The most notable would likely be the upgraded version, H.265, also known as HEVC (High-Efficiency Video Coding).

There is also the H.266 codec, but it differs a great deal when compared to the others we’ve just mentioned. Worry not, however, because we are going to explain each for your deeper understanding.

1] What is H.264 codec

This codec has been around since 2009, and for quite some time, it has been the standard. The codec is also known as AVC, MPEG-4 Part 10, and VC-1.

It’s a video compression standard that is designed to playback high-quality video at a small size than RAW and previous standards. We understand the compression ratio is twice that of MPEG-2, which is quite astonishing. It promises to provide high-quality content with no quality loss when compared to other standards. H.264 is used by most modern mobiles and 2K cameras.

Basically, if your file size is 88GB, H.264 compression can bring it down to a little over 800MB. Additionally, when compared to other compression technologies, low-bit rate plays an important role. In the end, users will save time when having to download or stream video content at any time.

2] What is H.265/HEVC codec

As you might be able to tell from the name, H.265/HEVC is the upgraded version of the previous, and it is designed to replace it at some time in the future. The new standard was released back in 2013, but only now has been getting huge support due to the rise of 4K. HEVC is promising a massive 50% bandwidth reduction compared to H.264 for the same video quality.

This will no doubt continue in the years to come as 4K televisions and monitors become more affordable. However, the big question right now, is, what makes H.265 the future?

Well, if you watch 4K content on YouTube, you should realize that it doesn’t hold a candle to the same video on a Bu-Ray disc. That is due to H.264 compression for the most part, and that is something the newer codec wants to solve.

From what we’ve come to understand, HEVC uses more efficient compression methods, therefore, the end content will showcase more detail and fewer artifacts. We all want this, which is why we cannot wait for more hardware manufacturers to support the future standard. H.265 is used by most modern mobiles and 4K cameras, and almost all new hardware now provides HEVC GPU acceleration.

Now, there is one big problem with H.265/HEVC right now. You see, it is quite slow if Hardware Acceleration is not in play. If you want to decode in HEVC, then a powerful computer is required. Intel 6th generation or newer, and AMD 6th generation or newer, are the CPUs you should consider when purchasing a computer for HEVC.

3] What is H.266 codec

In 2020, Fraunhofer HHI (together with partners like Apple, Ericsson, Intel, Huawei, Microsoft, Qualcomm, and Sony) developed. The world has yet to fully accept H.265 as the new standard where video codecs are concerned, but already H.266 is being touted Fraunhofer HHI, the company behind all three codecs.

At the moment, we understand that this new codec, also known as Versatile Video Coding (VVC), won’t improve video quality over its predecessor, but is expected to reduce the size. So in a sense, it is the same as H.265, but with a smaller footprint. H.266 is promising a massive 50% bandwidth reduction compared to H.265 for the same video quality.

When the H.266 codec is adopted in the future, people from around the world may have little problems with streaming 8K content on their favourite platforms. H.266 is used by most modern mobiles and 8K cameras

H.266/VVC is supposed to support: 

• Picture resolutions from 4K to 16K as well as 360° videos
• YCbCr color spaces with 4:2:0 sampling, 10-bit
• YCbCr/RGB 4:4:4 and YCbCr 4:2:2
• Auxiliary channels (transparency, depth, etc.) 
• High dynamic range (HDR) and wide color gamut
• Bit depths up to 16 bits per component 
• Fixed and variable frame rates
• Progressive scanning 

PCI DSS in Security Surveillance

PCI DSS in Security Surveillance

Access control & Video Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures). PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

Some users, professional now start asking is OEM camera, NVR, Access Controller are Compliance by PCI-DSS, “We need your system to be PCI compliant before we can put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision & Dahua (and their OEMs) product due to backdoor entry & lots of security risk. On Aug 13, 2019 US Govt signed as a Law.

According to the latest standards, PCI DSS applies to all entities involved in payment card industry—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:

‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.

It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan. For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Updated as part of PCI DSS version 3.0, Requirement 9 outlines steps that organizations should take to restrict physical access to cardholder data. Included under this requirement are guidelines that organizations must take to limit and monitor physical access to systems in the cardholder

data environment, such as points of sale (POS) systems. PCI DSS recommends deploying entry access control mechanisms or video security cameras to meet this requirement (or both). Additionally, they require companies to:

• ü  Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas
• ü  Verify that video cameras (or access controls) are protected from tampering or disabling
• ü  Review collected data and correlate with other entries
• ü  Store video data (or access logs data) for at least three months

Beyond the requirements specific to physical security, PCI DSS outlines a range of measures that organizations must

The PCI Data Security Standard (DSS) specifically excludes the need to provide cameras over cash registers:

DSS 9.1.1: "Use video cameras and/or access control mechanisms to monitor individual access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: - Sensitive areas refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

PCI DSS Compliance levels

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise needs to do to remain compliant.

·        Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).

·        Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.

·        Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.

·        Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.

PCI DSS Compliance

Requirement 9: Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.

9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remaining in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

PCI PED Compliance

3.4.5.2 Monitor, Camera, and Digital Recorder Requirements

a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.

b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.

c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.

d) CCTV cameras must be connected at all times to:

·        Monitors located in the control room

·        An alarm system that will generate an alarm if the CCTV is disrupted

·        An active image-recording device

Q30 March (update) 2015

Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?

A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.

Some of OEM done PCI DSS Compliance

For example: On March 19, 2015 - NUUO, a leading provider of surveillance video management solutions, today announced that its NUUO Crystal family (NUUO CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 certification.

Verkada (Cloud Camera Works) offers a technology solution that simplifies the process of meeting PCI physical security requirements. Unlike traditional CCTV systems, Verkada eliminates outdated equipment such as NVRs, DVRs and on-premise servers. The result: a system design that enables modern data security standards and innovative software capabilities by default.

3xLOGIC video surveillance vendor selected by our IS/IT department, also meet PSI DSS regulation.

Georgia CCTV understands that PCI-DSS compliance has become a requisite for restaurant operators. Safe guarding cardholder information and ensuring that PCI-DSS compliance standards are maintained is a material investment for companies in both time and resources. Georgia CCTV understands that for a retailer to achieve and maintain full PCI compliance, it is imperative that any services and devices that are part of or will become part of a merchant’s infrastructure also be PCI-DSS compliant.

ATLANTA, July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series IP Cameras, a new suite of video cameras that strengthens building safety and security through advanced analytics and secure channel encryption. They also adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together, these elements help meet the increasingly stringent requirements being set by IT Departments to shield businesses against unauthorized access and unsanctioned distribution.

Morpho is now IDEMIA, the global leader in Augmented Identity for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard (PCI DSS) certified company.

HID Global’s ActivID Authentication Appliance is used by enterprises and banks worldwide to secure access to networks, cloud applications and online services to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI DSS and equivalent mandates, policies and guidelines.

Integrated Access Security is a commercial security systems company serving Redwood City. There Access control meet PCI regulation.

QNAP storage system have the following security certifications:

HIPAA Compliance

SSAE 18 Type II Certification

PCI-DSS Compliant

FIPS 140-2 Level 3 Validated Data Handling Practices

Ref:

https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/

https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general

https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance

https://www.pcisecuritystandards.org/get_involved/participating_organizations