Showing posts with label Idemia. Show all posts
Showing posts with label Idemia. Show all posts

Saturday, January 16, 2021

PCI DSS in Security Surveillance

PCI DSS in Security Surveillance
Access control & Video Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures). PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

Some users, professional now start asking is OEM camera, NVR, Access Controller are Compliance by PCI-DSS, “We need your system to be PCI compliant before we can put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision & Dahua (and their OEMs) product due to backdoor entry & lots of security risk. On Aug 13, 2019 US Govt signed as a Law.

According to the latest standards, PCI DSS applies to all entities involved in payment card industry—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:

‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan. For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Updated as part of PCI DSS version 3.0, Requirement 9 outlines steps that organizations should take to restrict physical access to cardholder data. Included under this requirement are guidelines that organizations must take to limit and monitor physical access to systems in the cardholder
data environment, such as points of sale (POS) systems. PCI DSS recommends deploying entry access control mechanisms or video security cameras to meet this requirement (or both). Additionally, they require companies to:
  • ü  Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas
  • ü  Verify that video cameras (or access controls) are protected from tampering or disabling
  • ü  Review collected data and correlate with other entries
  • ü  Store video data (or access logs data) for at least three months

Beyond the requirements specific to physical security, PCI DSS outlines a range of measures that organizations must

The PCI Data Security Standard (DSS) specifically excludes the need to provide cameras over cash registers:

DSS 9.1.1: "Use video cameras and/or access control mechanisms to monitor individual access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: - Sensitive areas refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

PCI DSS Compliance levels

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise needs to do to remain compliant.
·        Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
·        Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
·        Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
·        Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.


PCI DSS Compliance
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remaining in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

PCI PED Compliance
3.4.5.2 Monitor, Camera, and Digital Recorder Requirements
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to:
·        Monitors located in the control room
·        An alarm system that will generate an alarm if the CCTV is disrupted
·        An active image-recording device

Q30 March (update) 2015
Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?
A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.

Some of OEM done PCI DSS Compliance
For example: On March 19, 2015 - NUUO, a leading provider of surveillance video management solutions, today announced that its NUUO Crystal family (NUUO CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 certification.

Verkada (Cloud Camera Works) offers a technology solution that simplifies the process of meeting PCI physical security requirements. Unlike traditional CCTV systems, Verkada eliminates outdated equipment such as NVRs, DVRs and on-premise servers. The result: a system design that enables modern data security standards and innovative software capabilities by default.

3xLOGIC video surveillance vendor selected by our IS/IT department, also meet PSI DSS regulation.

Georgia CCTV understands that PCI-DSS compliance has become a requisite for restaurant operators. Safe guarding cardholder information and ensuring that PCI-DSS compliance standards are maintained is a material investment for companies in both time and resources. Georgia CCTV understands that for a retailer to achieve and maintain full PCI compliance, it is imperative that any services and devices that are part of or will become part of a merchant’s infrastructure also be PCI-DSS compliant.

ATLANTA, July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series IP Cameras, a new suite of video cameras that strengthens building safety and security through advanced analytics and secure channel encryption. They also adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together, these elements help meet the increasingly stringent requirements being set by IT Departments to shield businesses against unauthorized access and unsanctioned distribution.

Morpho is now IDEMIA, the global leader in Augmented Identity for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard (PCI DSS) certified company.

HID Global’s ActivID Authentication Appliance is used by enterprises and banks worldwide to secure access to networks, cloud applications and online services to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI DSS and equivalent mandates, policies and guidelines.

Integrated Access Security is a commercial security systems company serving Redwood City. There Access control meet PCI regulation.

QNAP storage system have the following security certifications:
HIPAA Compliance
SSAE 18 Type II Certification
PCI-DSS Compliant

FIPS 140-2 Level 3 Validated Data Handling Practices

Ref:
https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/
https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general
https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance
https://www.pcisecuritystandards.org/get_involved/participating_organizations

Sunday, June 21, 2020

Technologies for Face Recognition in Access Control

Technologies for Face Recognition in Access Control

In the 1960s, Woodrow Wilson Bledsoe developed a system that could classify photos of faces called facial recognition. Identifying human faces in digital images has variety of applications, from biometrics and healthcare to video surveillance and security. In psychological terms, face identification is a process through which humans locate and attend to faces in a visual scene.
One can consider face detection as a specific case of object class detection. A reliable methodology is based on the eigen-face technique and the genetic algorithm.

Rather than just simply telling you about the basic techniques, we would like to introduce some efficient face recognition algorithms (open source) from latest researches and projects.

  • OpenFace
  • OpenBR
  • SphereFace
  • Deep Face Recognition with Caffe Implementation
  • Android Face Recognition with Deep Learning

8 from China, where facial recognition has received the most significant recent support:

  1. Dahua: "interest but not adoption"
  2. Facego: Big parent company, poor marketing
  3. Hikvision: Downplayed
  4. Longse: Fac Rec "Just for Show"
  5. Qualvision: "Frank Comments on NDAA, Face Rec Hype"
  6. Sunell: Bold Claims
  7. TVT: "that's gonna piss our customers off"
  8. ZKTeco: Claims World’s Best Facial Recognition, Calls Hikvision “Cheap Chinese”
Note: China's most prominent facial recognition providers, SenseTime, Megvii Face++, and Yitu.

12 outside of China, mostly US, with one each from Australia, Japan, Russia, South Korea and Taiwan:

  1. Avycon: ''It Can Detect A Face"
  2. Axxonsoft: Frank Comments on 'Accuracy' Ratings
  3. Ayonix: Emphasis on Speed
  4. Ever AI: Positions Itself as China/Russia Competitor
  5. Deepcam: Selling $59 'Facial Recognition' Cams
  6. Faceron: Obscure Operations
  7. Geovision: 3D Face Map and Gender Recommendations
  8. iOmniscient: "20x Cheaper", Touts Chinese Army as Client
  9. Panasonic: 'We Beat NEC'
  10. Real Networks / SAFR: US Based Facial Recognition for Schools Solution
  11. Tough Dog: Tough Time Selling Face Rec Solutions
  12. Virdi: World's Best / No Evidence

Suprema has a facial recognition reader called facestation 2 and also had a new face lite which was introduced in 2019. Idemia VisionPass uses visual cameras, IR, and '3D' Time-of-Flight sensors to establish face 'liveness' and scan faces to verify users. VisionPass unit supports IR scanning, capacity for more user templates, and is compatible with OSDP. Idemia pricing is higher, often 2X to 3X higher for VisionPass compared to facial recognition models emerging from China.
1- There are two main technologies for Face Recognition:
Optical solutions (CCTV based): these are based on algorithm/pixel performance only. It can be used as black listing (Stadium, Retail, Vandalism) but it is not enough for white listing (i.e.: access control).
Infra Red Solutions (Suprema and others): these are based on Light emission + IR sensors + Algorithm + processing power. Advantage of IR are: distance 15cm to 1.5m (it filters background and all related issues), works in any light conditions (unlike CCTV that can take a face with sun from the side), makeup/painting on face, Face Face/Images detection (easier than Optical). These ones are safe enough to be used for white listing (=access control).

2- FaceLite is working same as Suprema FaceStation2, with Infra-Red templates (it's compatible).
Cool stuff: FaceLite is 43% smaller (size) than FaceStation2, and the price follow the same 43% off trend. That brings the Flite IR face recognition reader to the price of Fingerprint reader (= BioLite Net : BLN2-OAB). But still you have the high performance/reliability/security. No sacrifice on this!

Limitation: Face template is too big to be encoded on a card (>8KB) and Suprema Face Models are "evolutive" (maching learning: each time you check your face on a reader, it is updated). The related drawback is that Face cannot be stored on RFID cards (EV1/EV2 / Seos). Instead it is stored in Central Database or in Reader itself (my preference). The # of face models are limited to 3,000 (1:N, Identification) and to 30,000 (1:1, Verification, that case you need to swipe a card or input an ID before authentication). Compared to FaceStation2 (FS2), you also lose the second optical camera (that I like for user interface or Picture logs), you lose the large touch screen, you lose Android OS, you lose the Video Intercom possibility. But that's in line with the 43% off in price point!

Privacy: Face templates are stored on central server (encryption: AES 256) or on readers (AES 128), with possible "Tamper secure" option => if the reader is removed from wall, it factory resets and loses all memory (Users, Face Models, Logs, Encryption keys, ..). Face Models are being transported from Central Server <=> Readers via TCP, using TLS 1.2 encryption/certificate.

Product Name

FaceStation 2
FaceLite
Model Name

FS2-D
FS2-AWB
FL-DB
RFID
RF Option
125kHz EM & 13.56MHz MIFARE, MIFARE Plus, DESFire/EV1, FeliCa
125kHz EM, HID Prox & 13.56MHz MIFARE, MIFARE Plus, DESFire/EV1, FeliCa, iCLASS SE/SR/Seos
125kHz EM & 13.56MHz MIFARE, MIFARE Plus, DESFire/EV1, FeliCa
Mobile Card
NFC
NFC, BLE
NFC, BLE
Protection
Ingress Protection
Not supported
Not supported
Not supported
Vandal Proof
Not supported
Not supported
Not supported
Face
Template
SUPREMA
SUPREMA
SUPREMA
Extractor / Matcher
SUPREMA
SUPREMA
SUPREMA
Live Face Detection
Supported
Supported
Supported
Capacity
Users (1:1)
* Based on one face enrollment per user
30,000
30,000
30,000
Users (1:N)
* Based on one face enrollment per user
3,000
3,000
3,000
Max. Face Enrollment per User
5
5
5
Text Log
50,00,000
50,00,000
50,00,000
Image Log
50,000
50,000
Not supported
HW
CPU
1.4 GHz Quad Core
1.4 GHz Quad Core
1.2GHz Quad Core
Memory
8GB Flash + 1GB RAM
8GB Flash + 1GB RAM
8GB Flash + 1GB RAM
LCD Type
4” color TFT LCD
4” color TFT LCD
2” color TFT LCD
LCD Resolution
800 x 480 pixels
800 x 480 pixels
320x240 pixels
Sound
24 bit Voice DSP (echo cancellation)
24 bit Voice DSP (echo cancellation)
24 bit Voice DSP
Operating Temperature
-20°C ~ 50°C
-20°C ~ 50°C
-20°C ~ 50°C
Storage Temperature
-40°C ~ 70°C
-40°C ~ 70°C
-40°C ~ 70°C
Operating Humudity
0% ~ 80%,
non-condensing
0% ~ 80%,
non-condensing
0% ~ 80%,
non-condensing
Storage Humidity
0% ~ 90%,
non-condensing
0% ~ 90%,
non-condensing
0% ~ 90%,
non-condensing
Weight
Device: 548g
Bracket: 74g (Including washer and bolt)
Device: 548g
Bracket: 74g (Including washer and bolt)
Device: 296 g
Bracket: 41 g (Including washer and bolt)
Dimension (WxHxD, mm)
141 x 164 x 125
141 x 164 x 125
80 x 160.3 x 71.8
Tamper
Supported
Supported
Supported
Interface
Wi-Fi
Not supported
Built-in, IEEE 802.11 b/g
Not supported
Ethernet
10/100/1000 Mbps, auto MDI/MDI-X
10/100/1000 Mbps, auto MDI/MDI-X
10/100 Mbps, auto MDI/MDI-X
RS-485
1ch Host or Slave (Selectable)
1ch Host or Slave (Selectable)
1ch Host or Slave (Selectable)
Wiegand
1ch Input, 1ch Output
1ch Input, 1ch Output
1ch Input or Output (Selectable)
TTL Input
2ch Inputs
2ch Inputs
2ch Inputs
Relay
1 Relay
1 Relay
1 Relay
USB
USB 2.0 (Host)
USB 2.0 (Host)
USB 2.0 (Host)
SD Card
Not supported
Not supported
Not supported
PoE
Not supported
Not supported
Not supported
Intercom
Supported
Supported
Not supported
Electrical
Power
Voltage: DC 24 V
Current: Max. 2.5 A
Voltage: DC 24 V
Current: Max. 2.5 A
Voltage: DC 24 V
Current: Max. 2.5 A
Platform
BioStar 2
Supported
Supported
Supported