PCI DSS in Security Surveillance
Access
control & Video Surveillance vendors who sell to retail merchants have
undoubtedly heard about PCI compliance, but may not understand exactly what it
is and how it impacts the security industry. Thus, it’s no surprise that
the Payment Card Industry Data Security Standard (PCI DSS) outlines
specific guidelines for securing cardholder data environments (CDE) from a
physical standpoint. This means protecting devices and systems (desktops,
laptops, point-of-sale terminals, servers, routers, phones and other
equipment), as well as the facility itself (office buildings, retail stores,
data centres, call and contact centres and other structures). PCI compliance
appears to be an issue between the payment card companies such as VISA and the
merchants who accept credit cards. However, as merchants are being required to
comply, they are passing some of the impact down to the vendors whose systems
sit on their network.
Some
users, professional now start asking is OEM camera, NVR, Access Controller are
Compliance by PCI-DSS, “We need your system to be PCI compliant before we can
put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision
& Dahua (and their OEMs) product due to backdoor entry & lots of
security risk. On Aug 13, 2019 US Govt signed as a Law.
According
to the latest standards, PCI DSS applies to all entities involved in payment
card industry—including merchants, processors, acquirers, issuers, and service
providers. PCI DSS also applies to all other entities that store, process or
transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To
safeguard credit card data from being stolen through network breaches and
ineffective IT security practices. Originally most card providers such as Visa
and MasterCard had established their own proprietary rules regarding the
handling of credit card data by merchants. Concern and confusion by the
merchants over varying and overlapping requirements by the rival card companies
prompted the card issuers to create an independent organization and standard
for protecting credit card data. This entity is known as the PCI Security
Council and while there are actually several standards, the most applicable to
our industry is the PCI-DSS. To comply with the standard, you must use security
cameras AND/OR access control in any sensitive areas. Sensitive areas are
defined as below:
‘Sensitive
areas’ refers to any data center, server room or any area that houses systems
that store, process, or transmit cardholder data. This excludes public-facing
areas where only point-of-sale terminals are present, such as the cashier areas
in a retail store.
It is this
need to secure the merchants entire network as well as the devices and software
attached to the network that creates the demand for video surveillance vendors
to meet PCI requirements, or more specifically, to provide solutions which are
secure enough that they do not compromise the merchants network security plan. For
a large retail store, this might be your server room, data closet, or anywhere
else you have machines or servers that process cardholder data. The cameras
must be at every entrance and exit so you can document who has entered and left
this sensitive area.
This first
is the inherent or built-in security that the solution has as it leaves the
manufacturers back door. Many solutions being shipped today utilize highly
vulnerable technologies such as web applications, non-secured operating systems
and may even have a wide variety of exploitable technologies built into the
product.
Manufacturers
first need to understand the most current threats and then need to evaluate and
adapt their architectural design to provide maximum inherent security.
One method
to accomplish this is by having a valid and effective Software Development
Lifecycle (SDLC) program in place which adheres to industry best practices,
meets secure software development standards and has security activities and
awareness built-in throughout the process.
The second
way that network insecurity can be introduced into the merchants’ network is in
how the product is deployed, configured and maintained. Many vendors feel that
at this point it is out of their hands, but new pressures on the merchant from
the PCI requirements are causing them to push back at the manufacturer.
Updated as part of PCI DSS version 3.0, Requirement 9
outlines steps that organizations should take to restrict physical access to
cardholder data. Included under this requirement are guidelines that
organizations must take to limit and monitor physical access to systems in the
cardholder
data environment, such as points of sale (POS) systems.
PCI DSS recommends deploying entry access control mechanisms or video security
cameras to meet this requirement (or both). Additionally, they require
companies to:
- ü
Verify
that either video cameras or access control mechanisms (or both) are in place
to monitor the entry/exit points to sensitive areas
- ü
Verify
that video cameras (or access controls) are protected from tampering or disabling
- ü
Review
collected data and correlate with other entries
- ü
Store
video data (or access logs data) for at least three months
Beyond the requirements specific to physical security,
PCI DSS outlines a range of measures that organizations must
The PCI Data
Security Standard (DSS) specifically excludes the need to provide cameras over
cash registers:
DSS 9.1.1:
"Use video cameras and/or access control mechanisms to monitor individual
access to sensitive areas. Review collected data and correlate with other
entries. Store for at least three months, unless otherwise restricted by law.
Note: - Sensitive areas refers to any data center, server room, or any area
that houses systems that store, process, or transmit cardholder data. This
excludes the areas where only point-of-sale terminals are present, such as the
cashier areas in a retail store."
PCI DSS Compliance levels
PCI
compliance is divided into four levels, based on the annual number of
credit or debit card transactions a business process. The classification level
determines what an enterprise needs to do to remain compliant.
·
Level
1: Applies to merchants processing more than six million real-world credit or
debit card transactions annually. Conducted by an authorized PCI auditor, they
must undergo an internal audit once a year. In addition, once a quarter they
must submit to a PCI scan by an Approved Scanning Vendor (ASV).
·
Level
2: Applies to merchants processing between one and six million real-world
credit or debit card transactions annually. They’re required to complete an
assessment once a year using a Self-Assessment Questionnaire (SAQ).
Additionally, a quarterly PCI scan may be required.
·
Level
3: Applies to merchants processing between 20,000 and one million e-commerce
transactions annually. They must complete a yearly assessment using the
relevant SAQ. A quarterly PCI scan may also be required.
·
Level
4: Applies to merchants processing fewer than 20,000 e-commerce transactions
annually, or those that process up to one million real-world transactions. A
yearly assessment using the relevant SAQ must be completed and a quarterly PCI
scan may be required.
PCI DSS Compliance
Requirement 9: Restrict physical
access to cardholder data
Any
physical access to data or systems that house cardholder data provides the
opportunity for persons to access and/or remove devices, data, systems or
hardcopies, and should be appropriately restricted. “Onsite personnel” are
full- and part-time employees, temporary employees, contractors, and
consultants who are physically present on the entity’s premises. “Visitors” are
vendors and guests that enter the facility for a short duration - usually up to
one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use
appropriate facility entry controls to limit and monitor physical access to
systems in the cardholder data environment.
9.2
Develop procedures to easily distinguish between onsite personnel and visitors,
such as assigning ID badges.
9.3
Control physical access for onsite personnel to the sensitive areas. Access
must be authorized and based on individual job function; access must be revoked
immediately upon termination, and all physical access mechanisms, such as keys,
access cards, etc. returned or disabled.
Clearly,
there's no explicit camera requirement here, but cameras are a good way to
remaining in compliance with requirement 9.2. It's hard to know if you had a
physical security breach if you don't have any video evidence.
PCI PED Compliance
3.4.5.2 Monitor, Camera, and Digital
Recorder Requirements
a) Each
monitor, camera, and digital recorder must function properly and produce clear
images on the monitors without being out-of-focus, blurred, washed out, or
excessively darkened. The equipment must record at a minimum of four frames per
second.
b) CCTV
cameras must record all activity, including recording events during dark
periods through the use of infrared CCTV cameras or automatic
activation of floodlights in case of any detected activity. This recording may
be via motion activated. The recording must continue for at least a minute
after the last pixel of activity subsides.
c) CCTV
monitors and recorders must be located in an area that is restricted from
unauthorized personnel.
d) CCTV
cameras must be connected at all times to:
·
Monitors
located in the control room
·
An
alarm system that will generate an alarm if the CCTV is disrupted
·
An
active image-recording device
Q30 March (update) 2015
Q. For
purposes of this requirement, can motion activation recording be used, such
that if there is not any activity and associated motion, there is not any need
to record? If motion activation is allowed, how long past cessation of motion
must be recorded?
A. This
requirement is under revision. The new text will state: CCTV cameras must
record all activity, including recording events during dark periods through the
use of infrared CCTV cameras or automatic activation of floodlights in case of
any detected activity. This recording may be motion activated. The recording
must continue for at least ten seconds after the last motion has been detected.
The recording must capture any motion at least 10 seconds before and after the
detected motion.
Some of OEM done PCI DSS Compliance
For
example: On March 19, 2015 - NUUO, a leading provider of surveillance
video management solutions, today announced that its NUUO Crystal family (NUUO
CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions
have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0
certification.
Verkada (Cloud Camera Works) offers a
technology solution that simplifies the process of meeting PCI physical
security requirements. Unlike traditional CCTV systems, Verkada eliminates
outdated equipment such as NVRs, DVRs and on-premise servers. The result: a
system design that enables modern data security standards and innovative
software capabilities by default.
3xLOGIC video
surveillance vendor selected by our IS/IT department, also meet PSI DSS
regulation.
Georgia
CCTV understands that PCI-DSS compliance has become a requisite for restaurant
operators. Safe guarding cardholder information and ensuring that PCI-DSS
compliance standards are maintained is a material investment for companies in
both time and resources. Georgia CCTV understands that for a retailer
to achieve and maintain full PCI compliance, it is imperative that any services
and devices that are part of or will become part of a merchant’s infrastructure
also be PCI-DSS compliant.
ATLANTA,
July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series
IP Cameras, a new suite of video cameras that strengthens building safety and
security through advanced analytics and secure channel encryption. They also
adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together,
these elements help meet the increasingly stringent requirements being set by
IT Departments to shield businesses against unauthorized access and
unsanctioned distribution.
Morpho is
now IDEMIA, the global leader in Augmented Identity for an increasingly digital
world, with the ambition to empower citizens and consumers alike to interact,
pay, connect, travel and vote in ways that are now possible in a connected
environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard
(PCI DSS) certified company.
HID
Global’s ActivID Authentication Appliance is used by enterprises and banks
worldwide to secure access to networks, cloud applications and online services
to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI
DSS and equivalent mandates, policies and guidelines.
Integrated
Access Security is a commercial security systems company serving Redwood City.
There Access control meet PCI regulation.
QNAP
storage system have the following security certifications:
HIPAA
Compliance
SSAE 18
Type II Certification
PCI-DSS
Compliant
FIPS 140-2
Level 3 Validated Data Handling Practices
Ref:
https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/
https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general
https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance
https://www.pcisecuritystandards.org/get_involved/participating_organizations