Showing posts with label MORPHO. Show all posts
Showing posts with label MORPHO. Show all posts

Saturday, January 16, 2021

PCI DSS in Security Surveillance

PCI DSS in Security Surveillance
Access control & Video Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures). PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

Some users, professional now start asking is OEM camera, NVR, Access Controller are Compliance by PCI-DSS, “We need your system to be PCI compliant before we can put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision & Dahua (and their OEMs) product due to backdoor entry & lots of security risk. On Aug 13, 2019 US Govt signed as a Law.

According to the latest standards, PCI DSS applies to all entities involved in payment card industry—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:

‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan. For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Updated as part of PCI DSS version 3.0, Requirement 9 outlines steps that organizations should take to restrict physical access to cardholder data. Included under this requirement are guidelines that organizations must take to limit and monitor physical access to systems in the cardholder
data environment, such as points of sale (POS) systems. PCI DSS recommends deploying entry access control mechanisms or video security cameras to meet this requirement (or both). Additionally, they require companies to:
  • ü  Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas
  • ü  Verify that video cameras (or access controls) are protected from tampering or disabling
  • ü  Review collected data and correlate with other entries
  • ü  Store video data (or access logs data) for at least three months

Beyond the requirements specific to physical security, PCI DSS outlines a range of measures that organizations must

The PCI Data Security Standard (DSS) specifically excludes the need to provide cameras over cash registers:

DSS 9.1.1: "Use video cameras and/or access control mechanisms to monitor individual access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: - Sensitive areas refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

PCI DSS Compliance levels

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise needs to do to remain compliant.
·        Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
·        Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
·        Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
·        Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.


PCI DSS Compliance
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remaining in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

PCI PED Compliance
3.4.5.2 Monitor, Camera, and Digital Recorder Requirements
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to:
·        Monitors located in the control room
·        An alarm system that will generate an alarm if the CCTV is disrupted
·        An active image-recording device

Q30 March (update) 2015
Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?
A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.

Some of OEM done PCI DSS Compliance
For example: On March 19, 2015 - NUUO, a leading provider of surveillance video management solutions, today announced that its NUUO Crystal family (NUUO CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 certification.

Verkada (Cloud Camera Works) offers a technology solution that simplifies the process of meeting PCI physical security requirements. Unlike traditional CCTV systems, Verkada eliminates outdated equipment such as NVRs, DVRs and on-premise servers. The result: a system design that enables modern data security standards and innovative software capabilities by default.

3xLOGIC video surveillance vendor selected by our IS/IT department, also meet PSI DSS regulation.

Georgia CCTV understands that PCI-DSS compliance has become a requisite for restaurant operators. Safe guarding cardholder information and ensuring that PCI-DSS compliance standards are maintained is a material investment for companies in both time and resources. Georgia CCTV understands that for a retailer to achieve and maintain full PCI compliance, it is imperative that any services and devices that are part of or will become part of a merchant’s infrastructure also be PCI-DSS compliant.

ATLANTA, July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series IP Cameras, a new suite of video cameras that strengthens building safety and security through advanced analytics and secure channel encryption. They also adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together, these elements help meet the increasingly stringent requirements being set by IT Departments to shield businesses against unauthorized access and unsanctioned distribution.

Morpho is now IDEMIA, the global leader in Augmented Identity for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard (PCI DSS) certified company.

HID Global’s ActivID Authentication Appliance is used by enterprises and banks worldwide to secure access to networks, cloud applications and online services to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI DSS and equivalent mandates, policies and guidelines.

Integrated Access Security is a commercial security systems company serving Redwood City. There Access control meet PCI regulation.

QNAP storage system have the following security certifications:
HIPAA Compliance
SSAE 18 Type II Certification
PCI-DSS Compliant

FIPS 140-2 Level 3 Validated Data Handling Practices

Ref:
https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/
https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general
https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance
https://www.pcisecuritystandards.org/get_involved/participating_organizations

Saturday, November 12, 2016

What happens during a fingerprints scan

What happens during a fingerprints scan?


What is a Fingerprint?
The skin surface of the fingers, palms and soles of the feet is different to the rest of the body surface. If you look at the inner surface of your hands and soles of the feet you will see a series of lines made up of elevations which we call 'ridges' and depressions which we call 'furrows'.
These ridges and furrows can be recorded in many ways. For example, the ridges can be inked and placed on to a piece of paper. This would leave a fingerprint like below. The black lines represent the ridges and the white lines represent the furrows.

Within these patterns the ridges can split or end creating ridge characteristics. There are 6 types of ridge characteristics.
Everyone has a unique and different distribution of these characteristics that develop in the womb and are persistent throughout life.

It is the coincidence sequence of these characteristics that allow me to make identifications. The coincidence sequence is whereby I will find the same characteristics, in the same order with the same relationship to each other in both the crime scene fingerprint and the fingerprint on the form I am using.

Fingerprints unique:
It's pretty obvious why we have fingerprints—the tiny friction ridges on the ends of our fingers and thumbs make it easier to grip things. By making our fingers rougher, these ridges increase the force of friction between our hands and the objects we hold, making it harder to drop things. You have fingerprints even before you're born. In fact, fingerprints are completely formed by the time you're seven months old in the womb. Unless you have accidents with your hands, your fingerprints remain the same throughout your life.

Enrollment and verification
Suppose you're in charge of security for a large bank and you want to put a fingerprint scanning system on the main entry turnstile where your employees come in each morning. How exactly would it work?
There are two separate stages involved in using a system like this. First you have to go through a process called enrollment, where the system learns about all the people it will have to recognize each day. During enrollment, each person's fingerprints are scanned, analyzed, and then stored in a coded form on a secure database. Typically it takes less than a half second to store a person's prints and the system works for over 99% of typical users (the failure rate is higher for manual workers than for office workers).
Once enrollment is complete, the system is ready to use—and this is the second stage, known as verification. Anyone who wants to gain access has to put their finger on a scanner. The scanner takes their fingerprint, checks it against all the prints in the database stored during enrollment, and decides whether the person is entitled to gain access or not. Sophisticated fingerprint systems can verify and match up to 40,000 prints per second!

How fingerprint scanners work
a computer has to scan the surface of your finger very quickly and then turn the scanned representation into a code it can check against its database. How does this happen?
There are two main ways of scanning fingers. An optical scanner works by shining a bright light over your fingerprint and taking what is effectively a digital photograph. If you've ever photocopied your hand, you'll know exactly how this works. Instead of producing a dirty black photocopy, the image feeds into a computer scanner. The scanner uses a light-sensitive microchip (either a CCD, charge-coupled device, or a CMOS image sensor) to produce a digital image. The computer analyzes the image automatically, selecting just the fingerprint, and then uses sophisticated pattern-matching software to turn it into a code.
Another type of scanner, known as a capacitive scanner, measures your finger electrically. When your finger rests on a surface, the ridges in your fingerprints touch the surface while the hollows between the ridges stand slightly clear of it. In other words, there are varying distances between each part of your finger and the surface below. A capacitive scanner builds up a picture of your fingerprint by measuring these distances. Scanners like this are a bit like the touchscreens on things like iPhones and iPads.

Unlike ordinary digital photos, scans have to capture exactly the right amount of detail—brightness and contrast—so that the individual ridges and other details in the fingerprint can be accurately matched to scans taken previously. Remember that fingerprints might be used as evidence in criminal trials, where a conviction could result in a long jail sentence or even the death penalty. That's why "quality control" is such an important part of the fingerprint scanning process.


Here's how the process works with a simple optical scanner:
1.    A row of LEDs scans bright light onto the glass (or plastic) surface on which your finger is pressing (sometimes called the platen).
2.    The quality of the image will vary according to how you're pressing, how clean or greasy your fingers are, how clean the scanning surface is, the light level in the room, and so on.
3.    Reflected light bounces back from your finger, through the glass, onto a CCD or CMOS image sensor.
4.    The longer this image-capture process takes, the brighter the image formed on the image sensor.
5.    If the image is too bright, areas of the fingerprint (including important details) may be washed out completely—like an indoor digital photo where the flash is too close or too bright. If it's too dark, the whole image will look black and details will be invisible for the opposite reason.
6.    An algorithm tests whether the image is too light or too dark; if so, an audible beep or LED indicator alerts the operator and we go back to step 1 to try again.
7.    If the image is roughly acceptable, another algorithm tests the level of detail, typically by counting the number of ridges and making sure there are alternate light and dark areas (as you'd expect to find in a decent fingerprint image). If the image fails this test, we go back to step 1 and try again.
8.    Providing the image passes these two tests, the scanner signals that the image is OK to the operator (again, either by beeping or with a different LED indicator). The image is stored as an acceptable scan in flash memory, ready to be transmitted (by USB cable, wireless, Bluetooth, or some similar method) to a "host" computer where it can be processed further. Typically, images captured this way are 512×512 pixels (the dimensions used by the FBI), and the standard image is 2.5cm (1 inch) square, 500 dots per inch, and 256 shades of gray.
9.    The host computer can either store the image on a database (temporarily or indefinitely) or automatically compare it against one or many other fingerprints to find a match.
The matching algorithm finds out whether there is a match by comparing two templates extracted by the characteristic point extraction algorithm, specifically by comparing the positions of each characteristic point and the structure.