Pages

Saturday, January 16, 2021

PCI DSS in Security Surveillance

PCI DSS in Security Surveillance
Access control & Video Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures). PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

Some users, professional now start asking is OEM camera, NVR, Access Controller are Compliance by PCI-DSS, “We need your system to be PCI compliant before we can put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision & Dahua (and their OEMs) product due to backdoor entry & lots of security risk. On Aug 13, 2019 US Govt signed as a Law.

According to the latest standards, PCI DSS applies to all entities involved in payment card industry—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:

‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan. For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Updated as part of PCI DSS version 3.0, Requirement 9 outlines steps that organizations should take to restrict physical access to cardholder data. Included under this requirement are guidelines that organizations must take to limit and monitor physical access to systems in the cardholder
data environment, such as points of sale (POS) systems. PCI DSS recommends deploying entry access control mechanisms or video security cameras to meet this requirement (or both). Additionally, they require companies to:
  • ü  Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas
  • ü  Verify that video cameras (or access controls) are protected from tampering or disabling
  • ü  Review collected data and correlate with other entries
  • ü  Store video data (or access logs data) for at least three months

Beyond the requirements specific to physical security, PCI DSS outlines a range of measures that organizations must

The PCI Data Security Standard (DSS) specifically excludes the need to provide cameras over cash registers:

DSS 9.1.1: "Use video cameras and/or access control mechanisms to monitor individual access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: - Sensitive areas refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

PCI DSS Compliance levels

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise needs to do to remain compliant.
·        Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
·        Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
·        Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
·        Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.


PCI DSS Compliance
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remaining in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

PCI PED Compliance
3.4.5.2 Monitor, Camera, and Digital Recorder Requirements
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to:
·        Monitors located in the control room
·        An alarm system that will generate an alarm if the CCTV is disrupted
·        An active image-recording device

Q30 March (update) 2015
Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?
A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.

Some of OEM done PCI DSS Compliance
For example: On March 19, 2015 - NUUO, a leading provider of surveillance video management solutions, today announced that its NUUO Crystal family (NUUO CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 certification.

Verkada (Cloud Camera Works) offers a technology solution that simplifies the process of meeting PCI physical security requirements. Unlike traditional CCTV systems, Verkada eliminates outdated equipment such as NVRs, DVRs and on-premise servers. The result: a system design that enables modern data security standards and innovative software capabilities by default.

3xLOGIC video surveillance vendor selected by our IS/IT department, also meet PSI DSS regulation.

Georgia CCTV understands that PCI-DSS compliance has become a requisite for restaurant operators. Safe guarding cardholder information and ensuring that PCI-DSS compliance standards are maintained is a material investment for companies in both time and resources. Georgia CCTV understands that for a retailer to achieve and maintain full PCI compliance, it is imperative that any services and devices that are part of or will become part of a merchant’s infrastructure also be PCI-DSS compliant.

ATLANTA, July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series IP Cameras, a new suite of video cameras that strengthens building safety and security through advanced analytics and secure channel encryption. They also adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together, these elements help meet the increasingly stringent requirements being set by IT Departments to shield businesses against unauthorized access and unsanctioned distribution.

Morpho is now IDEMIA, the global leader in Augmented Identity for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard (PCI DSS) certified company.

HID Global’s ActivID Authentication Appliance is used by enterprises and banks worldwide to secure access to networks, cloud applications and online services to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI DSS and equivalent mandates, policies and guidelines.

Integrated Access Security is a commercial security systems company serving Redwood City. There Access control meet PCI regulation.

QNAP storage system have the following security certifications:
HIPAA Compliance
SSAE 18 Type II Certification
PCI-DSS Compliant

FIPS 140-2 Level 3 Validated Data Handling Practices

Ref:
https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/
https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general
https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance
https://www.pcisecuritystandards.org/get_involved/participating_organizations

Friday, January 1, 2021

Upcoming Trends in security & surveillance for 2021

Upcoming Trends in Security & Surveillance for 2021 

It’s fair to say 2020 has not been the year any of us were expecting. It has been challenging, we have all made sacrifices, and there are still further obstacles in our path as we try to get back to “normal”. SARS-CoV-2, the coronavirus strain that causes COVID-19, is a highly contagious respiratory illness that is affecting lives worldwide. Epidemics and pandemics have been threatening the human race time and again. SARS, H1N1, Ebola, and more have shown their teeth in the past, but with each such outbreak, we are learning new ways of fighting and managing such unexpected diseases that can potentially kill millions of people. Technology cannot prevent the onset of the pandemics; however, it can help prevent the spread, educate, warn, and empower those on the ground to be aware of the situation, and noticeably lessen the impact. The pandemic of 2020 has certainly changed the landscape for us all, not just the security industry. It has made us a lot more aware of touch points, crowded gatherings and personal space. It is inevitable that technology will adapt as our lives do. We have already seen manufacturers race to bring us solutions such as body temperature management, face mask detection and crowd control etc. It’s time to change. It’s time to get better. It’s time to learn more and sharpen our skills.’

During pandemic Webinar is boom through Zoom. Google meet, Gotowebiner etc in security safety automation industry. System Integrator, End Users, professionals are learn many things through OEM direct Webinar. US already ban China made surveillance product. In india Atmanirbhar Bharat (self-reliant India) is the vision of the Prime Minister of India Narendra Modi of making India a self-reliant nation. The first mention of this came in the form of the 'Atmanirbhar Bharat Abhiyan' or 'Self-Reliant India Mission' during the announcement of the coronavirus pandemic related economic package on 12 May 2020. Known china CCTV OEM are thrown out. Yes, it’s true, India don’t have much infrastructure to generate Camera manufacturing plant, it will take time at list 5 year. Within this time, we can follow BIS website to get information about selected camera / NVR model are china factory make or not. Low cost and high cost both option camera you can found. If you found that model belongs to china factory immediately change with Closest or Alternative Substitute. Now we check what will be next in 2021 for Security Safety & Automation.

OSHA new Policy:

The COVID-19 outbreak has caused almost all firms to deploy the work from home practice for employees. While some may be used to this, others may feel lost in the exercise. While not all Indian are able or fortunate enough to work from home, many have transitioned to telecommuting and virtual work over the last week or two.

While employers’ responsibilities for the safety and health of their at-home workers is less than those in the office or onsite, some do still exist. OSHA distinguishes between home offices and other home workplaces.
OSHA’s compliance directive on home offices is pretty clear:
·     “OSHA will not conduct inspections of employees’ home offices.
·     “OSHA will not hold employers liable for employees’ home offices, and does not expect employers to inspect the home offices of their employees.
·   “If OSHA receives a complaint about a home office, the complainant will be advised of OSHA’s policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions, but will not follow-up with the employer or employee.”
What about recording injuries while working at home? If an employee is working at home, when could the injury be considered work-related? OSHA answers the question:
How do I decide if a case is work-related when the employee is working at home? Injuries and illnesses that occur while an employee is working at home, including work in a home office, will be considered work-related if the injury or illness occurs while the employee is performing work for pay or compensation in the home, and the injury or illness is directly related to the performance of work rather than to the general home environment or setting.

Video Intercoms:

One of the newer phenomena we’ve faced in the world has been the concept of physical distancing, brought to light by the global coronavirus pandemic. This has created challenges not only socially, but for technologies that were not designed to accommodate what may be the new norm. Video intercoms are really going to be playing a bigger part in the way facilities are organized and processes are organized. We’re seeing some customers that are using this to limit having to actually go inside a room in a healthcare facility, for example, to limit the chances of transmitting something all while maintaining that frequency of checking. One of the main benefits of door intercoms is, simply put, the ability to limit — or even eliminate — human contact at the door. In this pandemic, an immediate need is providing [the customer with] a way to create physical distancing upon entry. This can also be applied to healthcare workers. Integrators have to understand this greater demand for security at the door and deliver solutions to their customers. Everybody is having food, groceries and other things delivered to their door. Demand for that is very high right now. Additional security at the door or the gate is something people want and need.

Home Over IP:

Amazon, Apple, Google and the Zigbee Alliance announced a new working group that plans to develop and promote the adoption of a new, royalty-free connectivity standard to increase compatibility among smart home products, with security as a fundamental design tenet. Zigbee Alliance board member companies such as IKEA, Legrand, NXP Semiconductors, Resideo, Samsung SmartThings, Schneider Electric, Signify (formerly Philips Lighting), Silicon Labs, Somfy and Wulian are also on board to join the working group and contribute to the project. The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable and seamless to use. By building upon IP, the project aims to enable communication across smart home devices, mobile apps and cloud services, and to define a specific set of IP-based networking technologies for device certification.

Video Surveillance:

The global CCTV camera market is anticipated to generate substantial revenue of more than to USD 38 billion till 2021. Asia Pacific and America holds the largest share of the global market and act as one of the main driver for the market. According to “India CCTV Camera Market Outlook, 2021”, the India CCTV Camera market is expected to grow with a CAGR of more than 26 % in the period from 2016 to 2021. Technology wise non-IP dominates the Indian market but in the coming years IP is expected to take the lead soon. Non -IP technology constitutes of analog and HD CCTV cameras. Analog is technology which is in a depleting stage and it share is expected to be taken by the IP technology and the HD type CCTV camera. Dome typed cameras are the most widely used cameras in any sectors. Commercial segment is the driver of the CCTV market in India with the increasing count of SOHO’s and SME’s. With the increasing security concerns, residential sector would also be one of the factors for the increasing market. As criminal activities are more in the northern region of India, North dominates the market in terms of revenue.

Facial Recognition:

Facial recognition is the common theme of the week’s top digital identity news with retail applications, new edge servers, and biometric border control deployments around the world. A new software partnership on biometric cryptography has also been announced, a report shows the importance of selfie biometrics in fraud reduction published, and the industry, as well as society more broadly, continues to contend with the issue of algorithmic bias. Facial recognition solutions identify a person by forming a unique code built on algorithms from multiple points on a person’s face, including nose, chin, lips, eyes and jaw. However, when a person wears a mask, many of these key points are not visible. Faces were often completely missed, and unsuccessful or false identifications were high. Those are know this wearing masks can reduce the accuracy they avoid to take Facial recognition

Video Verification:

The city currently has over 1,000 video surveillance cameras deployed across the metropolitan area and is expected to reach over 1,700 security devices. Now it’s very difficult to watch every moment on comment control center. It’s very important to see what camera saw. Through Video Auditing software the task are easy. Day by day its increase.

Rise of Mobile Credentials:

There has been a tremendous uptick in the popularity of mobile credentials. Research firm IHS Markit has reported that mobile-based credentials are the fastest-growing access control product. Globally they have experienced nearly a 150 percent growth between 2017 and 2018. Estimates show that more than 120 million mobile credentials will be downloaded in 2023 by end users. A 2019 survey by HID estimated that 54% of businesses had upgraded or would upgrade to a mobile access control system in the next three years. Though access cards still play a powerful role in the access control market, we are seeing a strong shift towards mobile access control like various companies. The use of mobile-based credentials is the logical next step for the physical security and access control industry. The fact that people are always with their smartphone helps popularise this trend. Phones aren’t just phones anymore. They play a bigger role in day-to-day life and this also includes access control. Mobile credentials can revolutionise the industry, eliminating the need to carry and wipe a card. Instead, a phone’s technology can be used to authenticate identity and grant entry. This gives greater flexibility, improves privacy and can also lower the maintenance costs of credential management for end users. Additionally, a clear advantage is that employees are more likely to carry their smartphone with them and less likely to lose them compared to NFC transponders.

The advantages of using virtual access control cards, which are stored on smartphones, are obvious: less logistics when distributing, revoking or replacing cards and many more ways to integrate with technology on the phone or other hosts and devices in the network. Often also the user experience of mentioned as a benefit of mobile access: users do not have to fill up their wallets with a pile of RFID cards but can conveniently carry them around in their phone. The networking capacity of smartphones would even be a great way to overcome the limitations of offline access control installations where access rights would be stored on smartphones instead of cards.

Security in the cloud:

After the entrance of IP-networking in security around twenty years ago, it is one of the major current trends in our industry: cloud based security systems. In the context of physical security one could define cloud based systems as those systems with a topology that looks like this:
·       A server that is ‘in the cloud’ and can be accessed from virtually anywhere;
·       Devices that connect over an IP-network to that central server;
·       Web based administration of the system;
·       Commercially based on a service or transaction model with recurring fees.
Variations exist. But in general this pretty much sums up what to expect when reviewing a cloud based system.
We see this set-up currently already in several categories:
·               Video Intercom Systems, like the systems from Akuvox, which are based on video intercom stations that connect to a cloud based server, which also enables use of apps as virtual door phones.
·   Mobile access systems that enable the use of virtual credentials on smartphones. and that are managed from a cloud based server.
·               Video management software now also is offered by several vendors as a cloud service, for example: 3dEYE, Open Eye, and VIVOTEK.

IoT security topologies:

The Internet of Things idea has been around for ages. It was predicted over a decade ago that billions of device will connect to the Internet. Sensors all around us will deliver data to the cloud. Feeding data into ‘big data’ processing applications that will give us access to a wealth of information. Devices also connect the cloud. To be part of applications that can be used and managed from virtually any location. For security it would mean that it very much is related to cloud based security applications. The additional step here would be that camera’s, readers, intercoms, intrusion detection sensors and biometric stations would connect directly to the cloud based service. Installations would be easier and more scalable. Access control systems could be deployed at any door and still be real online access control systems. Video surveillance would be available at any location that would require security monitoring. Security sensors and devices can be rolled out everywhere.

Smartphones and wearables

Using smartphones or other wearable devices in security has been a popular idea for many years. Smartphones and tablets often can be used to access the administration Interface (GUI) of the access control, video management or PSIM systems. That hardly is considered an innovation. Smartphones can also be used as virtual access control and identity cards in mobile acess systems. In addition it appears that also biometrics like facial recognition and fingerprint identification are now available on smartphones. It appears logical that smartphones with their native connectivity features are an interesting extension of security systems.
Mobile credentials enable both multimodal and multi-factor authentication. Multimodal means proving identity and/or gaining access using at least two separate biometrics, or permitting access through any one of various credentials, such as a smartcard or PIN. Multi-factor authentication involves proving identity and/or obtaining access via at least two methods or credentials. Multi-factor authentication is widely used in digital access. For example, when an employee logs onto a company’s system, he or she must use a secondary method to verify identity via a one-time token via SMS or other app. It is also burgeoning in physical access applications. Although two-factor authentication has been mandated in regulated industries, it is emerging in unregulated verticals as well. The development of multimodal readers will continue to fuel this trend.
Believers say that people prefer carrying around their smartphone over additional cards. They refer to the technical possibilities that smartphones offer in areas like user convenience and integration of systems.

Identity analytics and AI

A relatively new field in security is identity analytics. Seeing through identity and security related data in an automated way. To monitor use of access priviliges and consequently alter those access rights. The idea comes from the IT industry and that is where you will see it deployed mostly now. Recent research indicates that this is an emerging market with high anticipated growth potential. It would make sense to include physical security into these applications.
Believers will say that, like with video analytics, many more security related events can be actively monitored, more incidents can be detected and a tighter security regime can be implemented without hindering users unnecessarily.
It remains to be seen what the future will bring exactly. But intelligent security related data analytics certainly will have a place in modern enterprise security management applications.

Centralized Control of Fire Detection:

The principle of networking involves connecting several panels together to form a system. Inputs on one panel may activate outputs on another, for example, or the network may allow monitoring of many systems. Networking is often used in situations where one panel is not large enough, or in multiple-building situations. Networking is also an effective way to decouple systems to reduce the risk of a large portion of a facility going offline at any time due to system failure or maintenance requirements. Sub-Networks can be created using either hardware or software architectures. Networked systems normally are more costly and involve additional training and system configuration for successful implementation.


From this year many customer implement centralised monitoring & controlling of Fire Panel through creating WLAN communication with Graphic software. Due to cost effective graphical monitoring control software only industrial & Enterprise business implement the same. Also it will possible if same brand panel is there in all location.

BMS Workforce:

The growth of IBMS market is observing hindrance due to lack of availability of skilled workforce. The Intelligent building management systems are usually complex and require skilled personals to operate. The cost of training operators to handle complex equipment such as HVAC control, outdoor controls, security and access control, energy management systems and smart meters is quite high. Owing to which, small scale companies cannot afford to invest large capital to train their operators. This factor is likely to affect the growth of the IBMS market in the country.
But due to COVID-19 many OEM & society presence webinar program to educate more. This will be effect in this 2021-22. The region segmentation for the IBMS market has been done by South IndiaWest IndiaNorth IndiaEast India. Which include general lighting controls, communication systems, security controls, HVAC controls, access controls, outdoor controls entertainment controls and others. The India IBMS market is segmented by application into: hospitality, residential and retail, life science, office space, manufacturing, and energy and infrastructure. All these segments have also been estimated on the basis of geography in terms of revenue (USD Million).

The goal of building management systems was—and still is—to help optimize building performance by

·       Providing data on core building operational systems, specifically HVAC. 

·       Enabling the automatic control of a building’s main operating functions. 

IoT for buildings has the same goal of performance optimization (and by extension, saving money) through data and automatic control, but advanced technology takes these aspects many steps further than a traditional BMS system can. 

We wish you all the very best for 2021 and we look forward to working with you for many years to come.