Payments Security and Video Surveillance: What to Know
If your organization handles credit card payments, you’re sure to know about the security guidelines outlined by the Payment Card Industry (PCI). This post provides a brief background into the PCI’s Data Security Standard (DSS) and outlines what to consider when assessing your organization’s physical security systems.
While PCI DSS doesn’t explicitly mandate the use of security cameras, the guidelines do recommended ways that video surveillance can support a strong payments security regime. At a minimum, look for technology that:
Avoids insecure protocols (e.g., RTSP video streams)
Uses encrypted connections only (e.g., HTTPS/SSL)
Encrypts data at rest
Uses modern standards for identity management and user authentication
Retains recorded video for at least 90 days
Guards against tampering by internal or external actors
Read on for more details on PCI DSS and its guidelines for strengthening your physical security operations.
View Verkada’s PCI Solution Overview (PDF) »
In a nutshell, the Payment Card Industry Data Security Standard (or PCI DSS) is a set of requirements for the protection of payment card data. The Payment Card Industry Security Standards Council set them up to better protect cardholder data, and the most recent iteration was released in 2016.
Who needs to be PCI compliant? Well, anyone with a system coming into contact with payment card information, whether they’re transmitting, processing, or storing the data.
If your business or service routinely comes into contact with card information, it’s likely that you address most of these requirements already. Requirements for PCI compliance include measures such as:
Implementing unique passwords
Cardholder data encryption
Routine system health checks
Monitoring network access
Enforcing information security policies
These categories are further broken out into 12 sections, with each section comprised of its own subset of action items. Check out the full list at PCISecurityStandards.org.
While most PCI compliance requirements are met virtually, there is an entire section dedicated to restricting physical access to card data — Requirement number 9, to be exact. This is where surveillance security comes into play.
Requirement 9: Physical Security
Compliance Requirement 9.1 recommends that compliant and secure systems “use either video cameras or access control mechanisms to monitor individual physical access to sensitive areas.” This means that any area housing or processing cardholder data must be outfitted with surveillance and restrictions to physical access. The system must be reliable — resistant to tampering, and able to retain footage for a set period of time.
To fulfill PCI’s guidelines for video security, collected surveillance data must be stored for at least three months. This ensures that security personnel have ample time to review historical footage in the event of an incident compromising card data. Also look for technology with audit logs that can provide a forensic trail in the case of a data breach.
How Verkada Helps with Payments Security
Deployed purposefully across your business, Verkada can help simplify and strengthen your PCI compliance regime while delivering insights that improve the efficiency of your operations.
Verkada cameras automatically retain video for 90 days, all without outdated NVRs, DVRs, and server equipment. By default, data is encrypted at all times (in transit and at rest) using modern standards. A Verkada camera can be deployed in minutes — easily add coverage for a data closet, a new POS station, or an entirely new office.
Verkada also addresses needs for data security. All Verkada systems offer SAML/Oath and/or 2-factor authentication, and do not use vendor default passwords. With regards to Requirement 10, Verkada logs and securely backs up all user access information. And when it comes to viewing live feeds or reviewing stored footage, authorized user can gain access via Verkada’s secure cloud-based software, available 24/7 on any device.
Depending on your organization, official PCI compliance is determined by external Qualified Security Assessors, Internal Security Assessors, or a Self-Assessment Questionnaire. Learn more at PCISecurityStandards.org.