Saturday, January 16, 2021

PCI DSS in Security Surveillance

PCI DSS in Security Surveillance
Access control & Video Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. Thus, it’s no surprise that the Payment Card Industry Data Security Standard (PCI DSS) outlines specific guidelines for securing cardholder data environments (CDE) from a physical standpoint. This means protecting devices and systems (desktops, laptops, point-of-sale terminals, servers, routers, phones and other equipment), as well as the facility itself (office buildings, retail stores, data centres, call and contact centres and other structures). PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

Some users, professional now start asking is OEM camera, NVR, Access Controller are Compliance by PCI-DSS, “We need your system to be PCI compliant before we can put it on the network”. Reason is that in Aug 13, 2018 US Govt Ban HikVision & Dahua (and their OEMs) product due to backdoor entry & lots of security risk. On Aug 13, 2019 US Govt signed as a Law.

According to the latest standards, PCI DSS applies to all entities involved in payment card industry—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). To safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:

‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.
It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan. For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Updated as part of PCI DSS version 3.0, Requirement 9 outlines steps that organizations should take to restrict physical access to cardholder data. Included under this requirement are guidelines that organizations must take to limit and monitor physical access to systems in the cardholder
data environment, such as points of sale (POS) systems. PCI DSS recommends deploying entry access control mechanisms or video security cameras to meet this requirement (or both). Additionally, they require companies to:
  • ü  Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas
  • ü  Verify that video cameras (or access controls) are protected from tampering or disabling
  • ü  Review collected data and correlate with other entries
  • ü  Store video data (or access logs data) for at least three months

Beyond the requirements specific to physical security, PCI DSS outlines a range of measures that organizations must

The PCI Data Security Standard (DSS) specifically excludes the need to provide cameras over cash registers:

DSS 9.1.1: "Use video cameras and/or access control mechanisms to monitor individual access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Note: - Sensitive areas refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store."

PCI DSS Compliance levels

PCI compliance is divided into four levels, based on the annual number of credit or debit card transactions a business process. The classification level determines what an enterprise needs to do to remain compliant.
·        Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
·        Level 2: Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
·        Level 3: Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
·        Level 4: Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.


PCI DSS Compliance
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.
9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remaining in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

PCI PED Compliance
3.4.5.2 Monitor, Camera, and Digital Recorder Requirements
a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.
b) CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.
c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.
d) CCTV cameras must be connected at all times to:
·        Monitors located in the control room
·        An alarm system that will generate an alarm if the CCTV is disrupted
·        An active image-recording device

Q30 March (update) 2015
Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?
A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.

Some of OEM done PCI DSS Compliance
For example: On March 19, 2015 - NUUO, a leading provider of surveillance video management solutions, today announced that its NUUO Crystal family (NUUO CrystalTM), as well as Mainconsole Family (NUUO Mainconsole Tri-Brid) solutions have received the Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 certification.

Verkada (Cloud Camera Works) offers a technology solution that simplifies the process of meeting PCI physical security requirements. Unlike traditional CCTV systems, Verkada eliminates outdated equipment such as NVRs, DVRs and on-premise servers. The result: a system design that enables modern data security standards and innovative software capabilities by default.

3xLOGIC video surveillance vendor selected by our IS/IT department, also meet PSI DSS regulation.

Georgia CCTV understands that PCI-DSS compliance has become a requisite for restaurant operators. Safe guarding cardholder information and ensuring that PCI-DSS compliance standards are maintained is a material investment for companies in both time and resources. Georgia CCTV understands that for a retailer to achieve and maintain full PCI compliance, it is imperative that any services and devices that are part of or will become part of a merchant’s infrastructure also be PCI-DSS compliant.

ATLANTA, July 30, 2019 – Honeywell [NYSE: HON] announced the release of 30 Series IP Cameras, a new suite of video cameras that strengthens building safety and security through advanced analytics and secure channel encryption. They also adhere to the Payment Card Industry Data Security Standard (PCI-DSS) Together, these elements help meet the increasingly stringent requirements being set by IT Departments to shield businesses against unauthorized access and unsanctioned distribution.

Morpho is now IDEMIA, the global leader in Augmented Identity for an increasingly digital world, with the ambition to empower citizens and consumers alike to interact, pay, connect, travel and vote in ways that are now possible in a connected environment. IDEMIA – MORPHO is Payment Card Industry Data Security Standard (PCI DSS) certified company.

HID Global’s ActivID Authentication Appliance is used by enterprises and banks worldwide to secure access to networks, cloud applications and online services to prevent breaches and achieve compliance with the updated FFIEC guidance, PCI DSS and equivalent mandates, policies and guidelines.

Integrated Access Security is a commercial security systems company serving Redwood City. There Access control meet PCI regulation.

QNAP storage system have the following security certifications:
HIPAA Compliance
SSAE 18 Type II Certification
PCI-DSS Compliant

FIPS 140-2 Level 3 Validated Data Handling Practices

Ref:
https://www.rhombussystems.com/blog/security/what-type-of-video-security-system-do-you-need-to-be-pci-compliant/
https://www.pcisecuritystandards.org/document_library?category=educational_resources&subcategory=educational_resources_general
https://www.securitymetrics.com/blog/what-are-12-requirements-pci-dss-compliance
https://www.pcisecuritystandards.org/get_involved/participating_organizations

Friday, January 1, 2021

Upcoming Trends in security & surveillance for 2021

Upcoming Trends in Security & Surveillance for 2021 

It’s fair to say 2020 has not been the year any of us were expecting. It has been challenging, we have all made sacrifices, and there are still further obstacles in our path as we try to get back to “normal”. SARS-CoV-2, the coronavirus strain that causes COVID-19, is a highly contagious respiratory illness that is affecting lives worldwide. Epidemics and pandemics have been threatening the human race time and again. SARS, H1N1, Ebola, and more have shown their teeth in the past, but with each such outbreak, we are learning new ways of fighting and managing such unexpected diseases that can potentially kill millions of people. Technology cannot prevent the onset of the pandemics; however, it can help prevent the spread, educate, warn, and empower those on the ground to be aware of the situation, and noticeably lessen the impact. The pandemic of 2020 has certainly changed the landscape for us all, not just the security industry. It has made us a lot more aware of touch points, crowded gatherings and personal space. It is inevitable that technology will adapt as our lives do. We have already seen manufacturers race to bring us solutions such as body temperature management, face mask detection and crowd control etc. It’s time to change. It’s time to get better. It’s time to learn more and sharpen our skills.’

During pandemic Webinar is boom through Zoom. Google meet, Gotowebiner etc in security safety automation industry. System Integrator, End Users, professionals are learn many things through OEM direct Webinar. US already ban China made surveillance product. In india Atmanirbhar Bharat (self-reliant India) is the vision of the Prime Minister of India Narendra Modi of making India a self-reliant nation. The first mention of this came in the form of the 'Atmanirbhar Bharat Abhiyan' or 'Self-Reliant India Mission' during the announcement of the coronavirus pandemic related economic package on 12 May 2020. Known china CCTV OEM are thrown out. Yes, it’s true, India don’t have much infrastructure to generate Camera manufacturing plant, it will take time at list 5 year. Within this time, we can follow BIS website to get information about selected camera / NVR model are china factory make or not. Low cost and high cost both option camera you can found. If you found that model belongs to china factory immediately change with Closest or Alternative Substitute. Now we check what will be next in 2021 for Security Safety & Automation.

OSHA new Policy:

The COVID-19 outbreak has caused almost all firms to deploy the work from home practice for employees. While some may be used to this, others may feel lost in the exercise. While not all Indian are able or fortunate enough to work from home, many have transitioned to telecommuting and virtual work over the last week or two.

While employers’ responsibilities for the safety and health of their at-home workers is less than those in the office or onsite, some do still exist. OSHA distinguishes between home offices and other home workplaces.
OSHA’s compliance directive on home offices is pretty clear:
·     “OSHA will not conduct inspections of employees’ home offices.
·     “OSHA will not hold employers liable for employees’ home offices, and does not expect employers to inspect the home offices of their employees.
·   “If OSHA receives a complaint about a home office, the complainant will be advised of OSHA’s policy. If an employee makes a specific request, OSHA may informally let employers know of complaints about home office conditions, but will not follow-up with the employer or employee.”
What about recording injuries while working at home? If an employee is working at home, when could the injury be considered work-related? OSHA answers the question:
How do I decide if a case is work-related when the employee is working at home? Injuries and illnesses that occur while an employee is working at home, including work in a home office, will be considered work-related if the injury or illness occurs while the employee is performing work for pay or compensation in the home, and the injury or illness is directly related to the performance of work rather than to the general home environment or setting.

Video Intercoms:

One of the newer phenomena we’ve faced in the world has been the concept of physical distancing, brought to light by the global coronavirus pandemic. This has created challenges not only socially, but for technologies that were not designed to accommodate what may be the new norm. Video intercoms are really going to be playing a bigger part in the way facilities are organized and processes are organized. We’re seeing some customers that are using this to limit having to actually go inside a room in a healthcare facility, for example, to limit the chances of transmitting something all while maintaining that frequency of checking. One of the main benefits of door intercoms is, simply put, the ability to limit — or even eliminate — human contact at the door. In this pandemic, an immediate need is providing [the customer with] a way to create physical distancing upon entry. This can also be applied to healthcare workers. Integrators have to understand this greater demand for security at the door and deliver solutions to their customers. Everybody is having food, groceries and other things delivered to their door. Demand for that is very high right now. Additional security at the door or the gate is something people want and need.

Home Over IP:

Amazon, Apple, Google and the Zigbee Alliance announced a new working group that plans to develop and promote the adoption of a new, royalty-free connectivity standard to increase compatibility among smart home products, with security as a fundamental design tenet. Zigbee Alliance board member companies such as IKEA, Legrand, NXP Semiconductors, Resideo, Samsung SmartThings, Schneider Electric, Signify (formerly Philips Lighting), Silicon Labs, Somfy and Wulian are also on board to join the working group and contribute to the project. The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable and seamless to use. By building upon IP, the project aims to enable communication across smart home devices, mobile apps and cloud services, and to define a specific set of IP-based networking technologies for device certification.

Video Surveillance:

The global CCTV camera market is anticipated to generate substantial revenue of more than to USD 38 billion till 2021. Asia Pacific and America holds the largest share of the global market and act as one of the main driver for the market. According to “India CCTV Camera Market Outlook, 2021”, the India CCTV Camera market is expected to grow with a CAGR of more than 26 % in the period from 2016 to 2021. Technology wise non-IP dominates the Indian market but in the coming years IP is expected to take the lead soon. Non -IP technology constitutes of analog and HD CCTV cameras. Analog is technology which is in a depleting stage and it share is expected to be taken by the IP technology and the HD type CCTV camera. Dome typed cameras are the most widely used cameras in any sectors. Commercial segment is the driver of the CCTV market in India with the increasing count of SOHO’s and SME’s. With the increasing security concerns, residential sector would also be one of the factors for the increasing market. As criminal activities are more in the northern region of India, North dominates the market in terms of revenue.

Facial Recognition:

Facial recognition is the common theme of the week’s top digital identity news with retail applications, new edge servers, and biometric border control deployments around the world. A new software partnership on biometric cryptography has also been announced, a report shows the importance of selfie biometrics in fraud reduction published, and the industry, as well as society more broadly, continues to contend with the issue of algorithmic bias. Facial recognition solutions identify a person by forming a unique code built on algorithms from multiple points on a person’s face, including nose, chin, lips, eyes and jaw. However, when a person wears a mask, many of these key points are not visible. Faces were often completely missed, and unsuccessful or false identifications were high. Those are know this wearing masks can reduce the accuracy they avoid to take Facial recognition

Video Verification:

The city currently has over 1,000 video surveillance cameras deployed across the metropolitan area and is expected to reach over 1,700 security devices. Now it’s very difficult to watch every moment on comment control center. It’s very important to see what camera saw. Through Video Auditing software the task are easy. Day by day its increase.

Rise of Mobile Credentials:

There has been a tremendous uptick in the popularity of mobile credentials. Research firm IHS Markit has reported that mobile-based credentials are the fastest-growing access control product. Globally they have experienced nearly a 150 percent growth between 2017 and 2018. Estimates show that more than 120 million mobile credentials will be downloaded in 2023 by end users. A 2019 survey by HID estimated that 54% of businesses had upgraded or would upgrade to a mobile access control system in the next three years. Though access cards still play a powerful role in the access control market, we are seeing a strong shift towards mobile access control like various companies. The use of mobile-based credentials is the logical next step for the physical security and access control industry. The fact that people are always with their smartphone helps popularise this trend. Phones aren’t just phones anymore. They play a bigger role in day-to-day life and this also includes access control. Mobile credentials can revolutionise the industry, eliminating the need to carry and wipe a card. Instead, a phone’s technology can be used to authenticate identity and grant entry. This gives greater flexibility, improves privacy and can also lower the maintenance costs of credential management for end users. Additionally, a clear advantage is that employees are more likely to carry their smartphone with them and less likely to lose them compared to NFC transponders.

The advantages of using virtual access control cards, which are stored on smartphones, are obvious: less logistics when distributing, revoking or replacing cards and many more ways to integrate with technology on the phone or other hosts and devices in the network. Often also the user experience of mentioned as a benefit of mobile access: users do not have to fill up their wallets with a pile of RFID cards but can conveniently carry them around in their phone. The networking capacity of smartphones would even be a great way to overcome the limitations of offline access control installations where access rights would be stored on smartphones instead of cards.

Security in the cloud:

After the entrance of IP-networking in security around twenty years ago, it is one of the major current trends in our industry: cloud based security systems. In the context of physical security one could define cloud based systems as those systems with a topology that looks like this:
·       A server that is ‘in the cloud’ and can be accessed from virtually anywhere;
·       Devices that connect over an IP-network to that central server;
·       Web based administration of the system;
·       Commercially based on a service or transaction model with recurring fees.
Variations exist. But in general this pretty much sums up what to expect when reviewing a cloud based system.
We see this set-up currently already in several categories:
·               Video Intercom Systems, like the systems from Akuvox, which are based on video intercom stations that connect to a cloud based server, which also enables use of apps as virtual door phones.
·   Mobile access systems that enable the use of virtual credentials on smartphones. and that are managed from a cloud based server.
·               Video management software now also is offered by several vendors as a cloud service, for example: 3dEYE, Open Eye, and VIVOTEK.

IoT security topologies:

The Internet of Things idea has been around for ages. It was predicted over a decade ago that billions of device will connect to the Internet. Sensors all around us will deliver data to the cloud. Feeding data into ‘big data’ processing applications that will give us access to a wealth of information. Devices also connect the cloud. To be part of applications that can be used and managed from virtually any location. For security it would mean that it very much is related to cloud based security applications. The additional step here would be that camera’s, readers, intercoms, intrusion detection sensors and biometric stations would connect directly to the cloud based service. Installations would be easier and more scalable. Access control systems could be deployed at any door and still be real online access control systems. Video surveillance would be available at any location that would require security monitoring. Security sensors and devices can be rolled out everywhere.

Smartphones and wearables

Using smartphones or other wearable devices in security has been a popular idea for many years. Smartphones and tablets often can be used to access the administration Interface (GUI) of the access control, video management or PSIM systems. That hardly is considered an innovation. Smartphones can also be used as virtual access control and identity cards in mobile acess systems. In addition it appears that also biometrics like facial recognition and fingerprint identification are now available on smartphones. It appears logical that smartphones with their native connectivity features are an interesting extension of security systems.
Mobile credentials enable both multimodal and multi-factor authentication. Multimodal means proving identity and/or gaining access using at least two separate biometrics, or permitting access through any one of various credentials, such as a smartcard or PIN. Multi-factor authentication involves proving identity and/or obtaining access via at least two methods or credentials. Multi-factor authentication is widely used in digital access. For example, when an employee logs onto a company’s system, he or she must use a secondary method to verify identity via a one-time token via SMS or other app. It is also burgeoning in physical access applications. Although two-factor authentication has been mandated in regulated industries, it is emerging in unregulated verticals as well. The development of multimodal readers will continue to fuel this trend.
Believers say that people prefer carrying around their smartphone over additional cards. They refer to the technical possibilities that smartphones offer in areas like user convenience and integration of systems.

Identity analytics and AI

A relatively new field in security is identity analytics. Seeing through identity and security related data in an automated way. To monitor use of access priviliges and consequently alter those access rights. The idea comes from the IT industry and that is where you will see it deployed mostly now. Recent research indicates that this is an emerging market with high anticipated growth potential. It would make sense to include physical security into these applications.
Believers will say that, like with video analytics, many more security related events can be actively monitored, more incidents can be detected and a tighter security regime can be implemented without hindering users unnecessarily.
It remains to be seen what the future will bring exactly. But intelligent security related data analytics certainly will have a place in modern enterprise security management applications.

Centralized Control of Fire Detection:

The principle of networking involves connecting several panels together to form a system. Inputs on one panel may activate outputs on another, for example, or the network may allow monitoring of many systems. Networking is often used in situations where one panel is not large enough, or in multiple-building situations. Networking is also an effective way to decouple systems to reduce the risk of a large portion of a facility going offline at any time due to system failure or maintenance requirements. Sub-Networks can be created using either hardware or software architectures. Networked systems normally are more costly and involve additional training and system configuration for successful implementation.


From this year many customer implement centralised monitoring & controlling of Fire Panel through creating WLAN communication with Graphic software. Due to cost effective graphical monitoring control software only industrial & Enterprise business implement the same. Also it will possible if same brand panel is there in all location.

BMS Workforce:

The growth of IBMS market is observing hindrance due to lack of availability of skilled workforce. The Intelligent building management systems are usually complex and require skilled personals to operate. The cost of training operators to handle complex equipment such as HVAC control, outdoor controls, security and access control, energy management systems and smart meters is quite high. Owing to which, small scale companies cannot afford to invest large capital to train their operators. This factor is likely to affect the growth of the IBMS market in the country.
But due to COVID-19 many OEM & society presence webinar program to educate more. This will be effect in this 2021-22. The region segmentation for the IBMS market has been done by South IndiaWest IndiaNorth IndiaEast India. Which include general lighting controls, communication systems, security controls, HVAC controls, access controls, outdoor controls entertainment controls and others. The India IBMS market is segmented by application into: hospitality, residential and retail, life science, office space, manufacturing, and energy and infrastructure. All these segments have also been estimated on the basis of geography in terms of revenue (USD Million).

The goal of building management systems was—and still is—to help optimize building performance by

·       Providing data on core building operational systems, specifically HVAC. 

·       Enabling the automatic control of a building’s main operating functions. 

IoT for buildings has the same goal of performance optimization (and by extension, saving money) through data and automatic control, but advanced technology takes these aspects many steps further than a traditional BMS system can. 

We wish you all the very best for 2021 and we look forward to working with you for many years to come.


Wednesday, December 16, 2020

Intrusion Alarm Circuits Guide

Intrusion Alarm Circuits Guide 

Intrusion alarm circuits are a fundamental element of wired intrusion / burglar systems. Designing the intrusion alarm circuit greatly affects its performance. In particular, more efficient circuit designs introduce less resistance and cause fewer false alarms.

Alarm Circuits Overviewed

Intrusion alarm circuits use wires between an Intrusion alarm panel and various sensors. When the circuit / connection of those wires is broken (e.g., an alarmed window opens), the alarm is triggered if the system is armed / enabled.

How an Alarm Circuit Works

An intrusion alarm circuit consists of a pair of wires running from an intrusion alarm panel to a sensor, such as a magnetic contact. Electrical charge flows from the positive terminal, down one wire, and into the sensor. When something causes the sensor to close, it completes the circuit, allowing the charge to flow down the other wire and back to the negative terminal on the panel.

In the case of the contact, the circuit is complete because the magnet causes the reeds to touch, allowing current to flow from the reed on the positive side of the circuit to the reed on the negative side.

Using a pair of wires to connect both sides of the sensor to both terminals on the panel creates a large circle, which is where the word circuit comes from. The electrons flow freely all around this circuit, from the positive terminal on the panel, through the sensor, and back to the negative terminal. Opening the window will cause the reed to separate, which will break the circle and stop the flow of electrons. In other words, opening a window will create an open circuit. It is this open circuit that causes an alarm condition.

Loops vs Splices

The two most common ways to add multiple sensors to circuits is to use loops or splices.

Loops are preferred because it creates a short pathway, which means less resistance, fewer points of failure and faster to install. However, loops can only typically be used in new construction where the technician has the ability to run wires and loops through the window frames before the drywall is installed. Prewiring requires coordination with the general contractor or the carpenter. The alarm company needs to be able to schedule a technician to complete the wiring before the drywall crew is scheduled to begin installing drywall, and the carpenter should be told where to drill holes on the moulding or window frame.

Splices should be minimized because they add resistance and are more time consuming to install. However, adding alarms to exiting homes or businesses typically require this since it is not feasible to open the drywalls to run a looped circuit.

Two types of splicing exists: field splice and ITB (in-the-box) splice. The benefits of field splices are lower total circuit resistance and using less wire, but it requires a more skilled technician to hide the splice. By contrast, ITB splices are easier to troubleshoot, have fewer potential points of failure and they can be done by a less experienced installer, but they have higher total circuit resistance and require an installer to home run a wire to each individual window.

Loops Explained

The image below shows an example of a loop that allows two windows to share a circuit. Opening either the top sash or the bottom sash of either the right window or left window will cause the same zone to open. To accomplish this, a technician runs a single wire from one contact to another, allowing the current to travel around the windows in a circle. The technician leaves a loop at every window, which will bring the circuit in one side of the contact and out the other.

One wire of the pair runs to the window on the right, and the other runs to the window on the left. The technician has run loops of wires from one side of the contact to the other. One side of the contact on the top right window has a loop running to one side of the contact on the left (shown in black below). The loop between the top left contact and the bottom left contact (shown in RED) completes the circle, as long as all the windows are closed.

Field Splices

A field splice is one that is made at the device end of the wire, usually at the device itself. A skilled technician can make a field splice if the conditions are right. Splices must be accessible for future troubleshooting, so a field splice can only be made if there is someplace to hide them away from casual view. For example, when wiring windows, a technician can staple the wire to the underside of the frame or moulding, out of sight but easily found by an experienced / certified intrusion alarm troubleshooter. Intrusion alarm installers commonly wire all sirens and strobes in a location to a single circuit, and make field splices inside the siren box.


In this example, a pair of wires (green) is running to the alarm panel. Red wires are running to magnetic contacts on the bottom sash and the top sash of the right window, and blue wires are running to the top sash and the bottom sash of the left window. One red wire is spliced to one blue wire, leaving one red wire and one blue wire to be spliced to the green wires.

ITB Splices

ITB splices, or in-the-box splices, are those made inside the alarm can. Separate wires are run to each individual contact, and they are then joined up at the panel using a splice.

ITB splices are much easier for inexperienced technicians, and much faster to wire up. Making ten splices, one after another, to add ten devices to five zones, is faster than making a splice at every entranceway and then figuring out how to tuck them away. They are also much easier to troubleshoot if properly labeled in the can, because a troubleshooter can quickly isolate the circuit branch causing the issue, and does not have to first find and identify the splice. However, running individual wires is more more labor intensive, and uses more wire.

Circuit Electrical Specifications

All devices in an alarm, including unpowered devices such as contacts, require a specific amount of charge flowing through the wires at a specific speed and pressure or it will not work.

Every circuit has a voltage, current, and resistance value:

  • Voltage is measured in volts (V).
  • Current is measured in amps (A).
  • Resistance is measured in ohms (Ω).

Voltage is a measurement of how much electricity is available for use. Every device lists the amount of voltage it requires to operate.

  • If given too few volts, the device will either not power up or will work erratically.
  • If given too many volts, it will either shut down or overheat.

Current is the pressure at which the charge flows. All devices consume, or draw, electricity at a predetermined rate.

  • Not enough amps may cause the device to work harder to draw voltage, which could cause it to either shut down, overheat, or work erratically.
  • Too many amps is not harmful as the device cannot draw more current than it can use.

Resistance is anything that slows the current. Factors that increase resistance are

  • Number of connected devices
  • Wire length
  • Splices
  • Time
  • Copper oxidization

Too much resistance on a circuit will lower the current, making it more difficult for the alarm to monitor the zone properly. Since resistance increases in all circuits as time goes on, improperly designed circuits have a high probability of causing false alarms years after being installed. Therefore, every effort should be made to keep the resistance as low as possible.

Parallel Versus Series

The two methods of joining multiple sections to a single circuit are parallel and series. Devices can either be wired in parallel or in series with each other. Circuits using parallel splices are called parallel circuits, and circuits using series splices are called series circuits.

In a series splice, one of the pair of wires is spliced to one the next pair of. This way, no matter how many pairs of wires are added, the end result is two wires that are simple to connect to two screw terminals. In between, lots of wires are spliced to each other. This makes troubleshooting simpler, because a technician can simply test a single branch of the circuit at a time. Series is typically best for connecting a small number of devices to a circuit. It is faster and easier to wire up. The downside is that series introduces a lot more resistance if too many devices are connected.

In a series circuit, the wires from each branch of the circuit will be spliced together until two wires not spliced to anything are left. These single conductors will be connected to the screw terminals, while the splices 'hang' in the air, not connected to anything but each other. No matter how many devices and wires are connected to the circuit, there will always be only one wire to connect to the positive and one to connect to the negative.

Parallel splices are typically best for connecting a large number of devices to a single circuit, or for circuits that draw lots of power. It greatly reduces the amount of resistance, allowing those large numbers of devices to be connected. However, it is harder / more complicated to implement, will not work if done incorrectly, and is more difficult to troubleshoot later on.

In a parallel circuit, all the matching sides of the wire pairs are simply spliced together, with the end result being two thick wire twists. This can be a challenge to connect to screw terminals. In order to troubleshoot the wire going to a branch of the circuit, a technician must first undo the entire splice.

Experienced alarm technicians develop a 'feel' for when to splice devices in parallel and when to splice in series. However, the key determinate is this: when a series splice will result in too much resistance, a parallel splice must be used. Before splicing anything, technicians can test a circuit in order to determine the amount of resistance present.

Measuring Resistance

Resistance is measured using a digital multimeter, or DMM. To measure resistance, turn the function dial of meter to the Ω (ohms) symbol, and touch the leads to the bare wires of the circuit. Technicians measure resistance in order to

  • Test that all devices on a circuit are functioning normally
  • Decide whether to keep devices on a zone or to split them up among multiple zones
  • Decide whether a circuit should be wired in series or in parallel
  • Record a baseline resistance at the time of installation
  • Troubleshoot, as a zone with a resistance reading well over baseline can indicate a broken wire or defective sensor

How Much Resistance Is Too Much?

There is no clear answer to the precise amount of devices, and consequently the precise amount of resistance, that should be allowable on a single detection circuit. As a general rule of thumb, many installers try to keep the baseline resistance on a single circuit to ~40Ω. Remember that the resistance will inevitably creep up over time, depending on the number and nature of sensors connected to the circuit, the number and nature of splices on the wire, the exact composition of the wire, and even the environment, which could cause the wire to oxidize faster or slower. The following animation shows the current slowing the more devices are added to the circuit:

Different alarm panel manufacturers have different standards for what constitutes an alarm condition, but all those standards are based on the panel reading the resistance on a zone circuit. If a circuit has a reading significantly higher than 40Ω, consider either using a parallel splice or splitting the zone, removing some devices from one zone and wiring them to a new zone.

Some installers prefer ITB splices because it allows them to decide to split the zone later on. If devices have been wired together using wire loops or field splices, this is not possible.

How Many Devices Is Too Many?

In theory, an installer can connect all the doors on a single zone, all the windows on another zone, all the motion detectors on a third zone, and so forth. However, this is quite an inefficient way of using an alarm. The more devices are on a single zone, the harder it will be for the user to figure out which device is causing the zone to be open.

If all the windows in a room are on a single zone, the user will have to check all of them before being able to arm the system. If a user wants to keep a single window open while arming the rest of the system, they would have to bypass all the windows in the room, which is a higher security risk than simply bypassing a single window. If central station needs to dispatch police or fire to the user's site, they will only be able to give a vague description of the location of the problem, not a specific location.

Most panels can only handle a limited number of zones out of the box. Using additional zones requires purchasing and installing zone expanders, which add to the overall cost of the installation. Using multiple zone expanders may require adding a second can, which likewise adds to the cost. The question of when to combine devices on a single zone and when to separate devices into separate zones has no easy answer, but becomes clearer with experience.

Wiring Sirens

Wiring sirens is slightly different than wiring other alarm devices.

  • Sirens are rated in watts, not volts like all other alarm devices
  • Watts are a measure of how much a power a device outputs
  • Volts a measure of how much power a device uses
  • Most sirens are rated to 30 watts

Most panels only have a single siren output. However, many applications call for the volume to be lower on some sirens than on others. For example, a siren mounted indoors would cause hearing damage if sounding at a full 110dB, but 110dB is necessary for notification outdoors. In order to have different volumes from a single output, installers can choose to wire sirens in either parallel (for louder volume) or in series (for lower volume). They can even choose to wire some sirens in parallel and other sirens in series. The sirens in series have more resistance than the sirens in parallel, so that there is more resistance, and therefore fewer watts, forcing the siren to sound at a lower volume.

Intrusion alarm siren wiring is a perfect illustration of Ohm's Law.

Ohm's Law

Understanding Ohm's Law makes alarm troubleshooting much easier. Ohm's Law states that there is a direct relationship between volts, amps, and ohms, specifically that volts equals amps times ohms. Amps is ohms divided by volts, and ohms is volts divided by amps. Adding resistance (ohms) makes the current (amps) go down, and adding current (amps) makes the resistance (ohms) go down.

The simplest way of lowering or raising the power available to the siren is by raising or lowering the resistance. This raises or lowers the amount of available power, which in turn affects the operation of the siren.

Understanding Ohm's Law can help a technician diagnose and repair power supplies, sensors, circuits, and sensors. Changing a splice from series to parallel, replacing a power supply for one that outputs the same voltage at a higher amperage, or adding a resistor are all repair options that an installer has once they understand how Ohm's Law works.

Source: IPVM.com & circuitstoday.com