Showing posts with label QNAP. Show all posts
Showing posts with label QNAP. Show all posts

Saturday, January 16, 2021

PCI DSS in Security Surveillance

PCI DSS in Security Surveillance
Access control & Video Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures). PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

Some users, professional now start asking is OEM camera, NVR, Access Controller are Compliance by PCI-DSS, “We need your system to be PCI compliant before we can put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision & Dahua (and their OEMs) product due to backdoor entry & lots of security risk. On Aug 13, 2019 US Govt signed as a Law.

According to the latest standards, PCI DSS applies to all entities involved in payment card industry—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:

‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan. For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Updated as part of PCI DSS version 3.0, Requirement 9 outlines steps that organizations should take to restrict physical access to cardholder data. Included under this requirement are guidelines that organizations must take to limit and monitor physical access to systems in the cardholder
data environment, such as points of sale (POS) systems. PCI DSS recommends deploying entry access control mechanisms or video security cameras to meet this requirement (or both). Additionally, they require companies to:
  • ü  Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas
  • ü  Verify that video cameras (or access controls) are protected from tampering or disabling
  • ü  Review collected data and correlate with other entries
  • ü  Store video data (or access logs data) for at least three months

Beyond the requirements specific to physical security, PCI DSS outlines a range of measures that organizations must

The PCI Data Security Standard (DSS) specifically excludes the need to provide cameras over cash registers:

DSS 9.1.1: "Use video cameras and/or access control mechanisms to monitor individual access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: - Sensitive areas refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

PCI DSS Compliance levels

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise needs to do to remain compliant.
·        Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
·        Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
·        Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
·        Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.


PCI DSS Compliance
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remaining in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

PCI PED Compliance
3.4.5.2 Monitor, Camera, and Digital Recorder Requirements
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to:
·        Monitors located in the control room
·        An alarm system that will generate an alarm if the CCTV is disrupted
·        An active image-recording device

Q30 March (update) 2015
Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?
A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.

Some of OEM done PCI DSS Compliance
For example: On March 19, 2015 - NUUO, a leading provider of surveillance video management solutions, today announced that its NUUO Crystal family (NUUO CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 certification.

Verkada (Cloud Camera Works) offers a technology solution that simplifies the process of meeting PCI physical security requirements. Unlike traditional CCTV systems, Verkada eliminates outdated equipment such as NVRs, DVRs and on-premise servers. The result: a system design that enables modern data security standards and innovative software capabilities by default.

3xLOGIC video surveillance vendor selected by our IS/IT department, also meet PSI DSS regulation.

Georgia CCTV understands that PCI-DSS compliance has become a requisite for restaurant operators. Safe guarding cardholder information and ensuring that PCI-DSS compliance standards are maintained is a material investment for companies in both time and resources. Georgia CCTV understands that for a retailer to achieve and maintain full PCI compliance, it is imperative that any services and devices that are part of or will become part of a merchant’s infrastructure also be PCI-DSS compliant.

ATLANTA, July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series IP Cameras, a new suite of video cameras that strengthens building safety and security through advanced analytics and secure channel encryption. They also adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together, these elements help meet the increasingly stringent requirements being set by IT Departments to shield businesses against unauthorized access and unsanctioned distribution.

Morpho is now IDEMIA, the global leader in Augmented Identity for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard (PCI DSS) certified company.

HID Global’s ActivID Authentication Appliance is used by enterprises and banks worldwide to secure access to networks, cloud applications and online services to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI DSS and equivalent mandates, policies and guidelines.

Integrated Access Security is a commercial security systems company serving Redwood City. There Access control meet PCI regulation.

QNAP storage system have the following security certifications:
HIPAA Compliance
SSAE 18 Type II Certification
PCI-DSS Compliant

FIPS 140-2 Level 3 Validated Data Handling Practices

Ref:
https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/
https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general
https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance
https://www.pcisecuritystandards.org/get_involved/participating_organizations

Thursday, January 26, 2017

Top 10 video surveillance cameras & NVR of 2016

Top 10 video surveillance cameras & NVR of 2016

In order to come up with a comprehensive assessment, the products on this list all adhere to the following guidelines:
·        The product must have been uploaded to the asmag dot com database between Jan. 2016 and Dec. 2016.
·        The main purpose of the camera must be for professional security; no Wi-Fi cameras, cube cameras, DIY, or cameras targeted at the smart home sector were included.
·        Only one camera per company was chosen.


Top 10 video surveillance cameras of 2016:

1. Hikvision DS-2CD6626DS-IZ(H)S Dark Fighter 2 MP anti-corrosion dome

2. Dahua HD-TPC-PT8320-T hybrid network PTZ camera


3. Axis XF40-Q1765 explosion protected fixed network camera


4. Sony SNC-VB770 ultra high sensitivity 4K network camera
5. Surveon CAM2441HI box network camera
6. LILIN ZR8022 1808p HD Day & Night autofocus IR IP camera
7. EverFocus EZN7221 2 MP Full HD ultra-low light camera

8. Pelco by Schneider Electric Optera 12 MP panoramic IP camera

9. DynaColor DynaHawk ZD series hyper mini fisheye IP camera


10. ITX NCB-2003PR/NCB-1303PR IP camera

Top 10 video surveillance NVR of 2016:

1. Wavestore A-Series NVR


2. QNAP VS-2204 Pro+ VioStor NVR

3. Merit LILIN NVR408M H.264 1080p real-time multi-touch vehicle standalone NVR

4. Milestone Husky M50A NVR
5. Hikvision DS-96128/2561NI-E16(-E24) Embedded Super NVR

6. Hunt HNR-16GSQ NVR

7. Dahua DH-NVR5216/5232-16P-4KS2 NVR
8. Verint Nextiva EdgeVR 100/200 Series NVR
9. EverFocus Commander 2 ENVR8008 NVR


10. Surveon NVR7800 series

Sunday, August 16, 2015

iPhone and iPad Security Camera Apps

iPhone and iPad Security Camera Apps
As a well-known eSecurity Professional in India I got many appreciation call/mail for my Blog writing. Thanks to all of you for read and understand my wrong English writing on my blog. Recently I visit Bhubaneswar (Located in India, Capital of Orissa) and face some question, customer ask you people highlight our NVR/ DVR is support Remote viewing on iPhone & iPad, but we are not enjoy the benefits of mobile security camera monitoring. Our System Integrator / Installer technical person come and say something that we are not understands. So you’ve come to the right place. Many IP camera and NVR manufacturers have unveiled top-of-the-line mobile monitoring apps compatible with the iPhone and iPad. A list of manufacturer iPhone security camera apps and iPad security camera apps is provided below, each with a detailed description of noteworthy features.

Optica
iPhone & IPad Security Camera App Name: OpticaMobile & OpticaMobile HD
Optica, a leading manufacturer of high-definition IP cameras, offers OpticaMobile and OpticaMobile HD mobile apps designed for iPhone, iPad, and Android devices. OpticaMobile delivers a wide spectrum of features to improve the viewing experience for all Optica IP cameras, including quad-view mode, live video streams, bookmarking, audio, snapshots, dual stream support, and PTZ control of Optica’s P218Z speed dome. It’s an easy and convenient way to tap into your Optica IP camera system while on the go. OpticaMobile HD is built for use on the iPad, while OpticaMobile is compatible with iPhone and Android devices.

Milestone
iPhone & IPad Security Camera App Name: XProtect Mobile
Milestone is one of the leading providers of video management software. Always on the forefront of IP video technology, Milestone offers an iPhone security camera app designed for use with the iPhone 3GS, iPhone 4, iPhone 4S, iPhone 5, iPhone 6, and iPad. To use the iPhone and iPad app, you must first have Milestone’s free XProtect Mobile Server installed and configured, which you can download from the Milestone website. Once installed on your iPhone, you can view live video from several cameras simultaneously; play back recorded images; control PTZ cameras; connect to cameras from more than one site; and send images to others via MMS and email. It’s by far one of the best mobile monitoring apps out there.

Smartvue
iPhone & IPad Security Camera App Name: Smartvue 9
An all-star player in the NVR market, Smartvue offers a complimentary iPhone and iPad monitoring app compatible with a wide range of IP camera brands and styles such as Axis, Sony, Optica, Vivotek, and Panasonic. This innovative app allows you to view numerous cameras at once, slide through live images, connect to different cameras, change display options, see off-site camera monitors, view recorded video, and search archived footage. It’s easy to use, has an intuitive design, and operates through simple touch screen functions such as scrolling and pinch-to-zoom.

Vivotek
iPhone & IPad Security Camera App Name: Vivotek iViewer
The iViewer iPhone security camera app created by Vivotek is compatible with the iPhone 3GS, iPhone 4, iPhone 5, iPhone 6 and iPad devices. With the iViewer app installed on your iPhone or iPad, you can view your live camera feed anytime, anywhere. You’re not limited to just one camera either; the iViewer supports hundreds of live camera feeds from innumerable server connections. The app gives you complete control of your live video, including PTZ camera control, a snapshot command to capture specific video frames, real-time switching of cameras to change displays as needed, and saving your display settings. The app also features remote playback so you can browse through recorded images for peace of mind. Additionally, you can search recorded video via a date and time, and playback recorded video in time intervals of 1, 2, 5, and 10 minutes.

QNAP
iPhone & IPad Security Camera App Name: VMobile
NVR manufacturer QNAP offers a free mobile monitoring app called VMobile that works with most versions of the iPhone as well as the iPad. Using the VMobile app, you can view your IP cameras and playback recorded video from the VioStor NVR series. Unique to the VMobile app is its ability to connect with hundreds of network cameras of varied brands. You’ll have access to breakthrough mobile monitoring features like PTZ control, notification of events and snapshots, adjustable viewing modes, and recorded video playback.

Everfocus
iPhone & IPad Security Camera App Name: MobileFocus
Everfocus is one of the world’s most trusted manufacturers of CCTV camera systems and DVRs. The MobileFocus app supports multi-touch control for zooming in on images, quick access to preset positions, sequence mode, image snapshots of real-time video, PTZ control, full screen displays, live audio, and device management, among many other convenient features. The app currently works with all Paragon Series DVRs and HD Series DVRs.

Wednesday, June 26, 2013

Android IP Camera Android Apps

Android IP Camera Android Apps
As a well-known eSecurity Professional in India I got many appreciation call/mail for my Blog writing. Thanks to all of you for read and understand my wrong English writing on my blog. Recently I visit Bhubaneswar (Located in India, Capital of Orissa) and face some question, customer ask you people highlight our NVR/ DVR is support Remote viewing on Android enable phone, but we are not enjoy the benefits of mobile security camera monitoring through our android phone. Our System Integrator / Installer technical person come and say something that we are not understands. So you’ve come to the right place. Many of today’s most trusted manufacturers of IP security cameras, DVR, NVRs, and video management software offer Android IP camera apps for safe and reliable monitoring. I share with you a list of Android security camera apps offered by manufacturers, and the high-end features available on each.

Optica
Android Security Camera App Name: OpticaMobile
Optica, a leading manufacturer of high-definition IP cameras, offers OpticaMobile and OpticaMobile HD mobile apps designed for iPhone, iPad, and Android devices. OpticaMobile delivers a wide spectrum of features to improve the viewing experience for all Optica IP cameras, including quad-view mode, live video streams, bookmarking, audio, snapshots, dual stream support, and PTZ control of Optica’s P218Z speed dome. It’s an easy and convenient way to tap into your Optica IP camera system while on the go. OpticaMobile HD is built for use on the iPad, while OpticaMobile is compatible with iPhone and Android devices.

Milestone
Android IP Camera App Name: XProtect Mobile
Created by Milestone, one of world’s leading developers of video management software, the XProtect Mobile Android security app offers a bevy of features catered to on-the-go surveillance users. With an average rating of 4.6, with 5 being the highest score, users have raved about its built-in features and usability. What’s great about this video surveillance app is how many cameras you’re able to view and manage at once. Users were most excited about the number of cameras they can monitor on this app – one even wrote that the app was able to support all 38 of the user’s IP cameras. Key features include video push, control of inputs and outputs, control of PTZ cameras, viewing live video feed from numerous remote security cameras, snapshot sharing to send via email or MMS, and compatibility with WiFi, 3G, and 4G networks.

Smartvue
Android IP Camera App Name: Smartvue Android App
Smartvue has remained on the cutting-edge of NVR technology since its inception. Recognized as an innovator in this market, Smartvue offers complimentary remote video surveillance access to its NVRs so you can check your IP cameras while on-the-go. Designed for Android versions 2.2 and up, the Smartvue Android App gives you complete access to your IP camera system when you’re physically off-site. With the Smartvue Android App installed, you can view your live video feed, playback archived recordings, swipe the screen to change cameras, control display settings as needed, monitor multiple cameras at once, and control PTZ functions. It also works with a wide variety of IP camera brands and body styles. Users have given this video surveillance app excellent ratings for its convenience, ease-of-use, and intuitively designed interface.

VivoTek
Android IP Camera App Name: iViewer LITE
This Android IP camera viewer app offered by Vivotek enables surveillance users to monitor live streaming video from all of their IP cameras, or those that are managed by Vivotek’s video management software for up to 360 seconds at a time. Note that this app currently works only with Android V2.3 and higher. Supporting IP cameras from a multitude of server connections, this app allows PTZ control via the touch screen, real-time video switching for different display options, image snapshots, single-channel playback by search, and the ability to playback recorded video for 1, 2, 5, and 10 minute intervals Additionally, you can configure your app to support fisheye camera views.

QNAP
Android IP Camera App Name: VMobile
Offered by NVR manufacturer QNAP, the VMobile Android App facilitates remote and wireless monitoring of IP cameras by connecting to the company’s VioStar NVR through Android versions v1.6, v2.1, and v2.2. VMobile is able to manage an unlimited number of servers and cameras for a wide variety of IP camera brands and body styles. With this app, you’re able to adjust the display mode, control PTZ, receive notifications if your IP camera detects tampering or vandalism, and capture snapshots that you want to save. You’re also able to playback recorded video from each of your IP cameras and search recorded video based on date and time.

EverFocus
Android IP Camera App Name: MobileFocus & MobileFocusPlus
Through the MobileFocus Android security camera app, you can connect to Everfocus DVRs and IP cameras at the touch of a button. Everfocus is one of the leading manufacturers of CCTV cameras, DVRs, and professional security products, including a select line of IP cameras catered to the ever-growing IP surveillance market. The mobile monitoring app’s easiest functions are viewing your cameras in real-time and controlling PTZ remote security camera models. Auxiliary mobile monitoring technologies include device management, channel control, gesture digital zoom, image snapshots, and full screen mode.