Get Demo
Demo

Payments Security and Video Surveillance: What to Know

Adam Sewall Apr 06, 2018

If your organization handles credit card payments, you’re sure to know about the security guidelines outlined by the Payment Card Industry (PCI). This post provides a brief background into the PCI’s Data Security Standard (DSS) and outlines what to consider when assessing your organization’s physical security systems.

While PCI DSS doesn’t explicitly mandate the use of security cameras, the guidelines do recommended ways that video surveillance can support a strong payments security regime. At a minimum, look for technology that:

  • Avoids insecure protocols (e.g., RTSP video streams)

  • Uses encrypted connections only (e.g., HTTPS/SSL)

  • Encrypts data at rest

  • Uses modern standards for identity management and user authentication

  • Retains recorded video for at least 90 days

  • Guards against tampering by internal or external actors

Read on for more details on PCI DSS and its guidelines for strengthening your physical security operations.

View Verkada’s PCI Solution Overview (PDF) » 

PCI Primer

In a nutshell, the Payment Card Industry Data Security Standard (or PCI DSS) is a set of requirements for the protection of payment card data. The Payment Card Industry Security Standards Council set them up to better protect cardholder data, and the most recent iteration was released in 2016.

Who needs to be PCI compliant? Well, anyone with a system coming into contact with payment card information, whether they’re transmitting, processing, or storing the data.

 

What’s Required?

If your business or service routinely comes into contact with card information, it’s likely that you address most of these requirements already. Requirements for PCI compliance include measures such as:

  • Implementing unique passwords

  • Cardholder data encryption

  • Routine system health checks

  • Monitoring network access

  • Enforcing information security policies

These categories are further broken out into 12 sections, with each section comprised of its own subset of action items. Check out the full list at PCISecurityStandards.org.

While most PCI compliance requirements are met virtually, there is an entire section dedicated to restricting physical access to card data — Requirement number 9, to be exact. This is where surveillance security comes into play.

 

Requirement 9: Physical Security

Compliance Requirement 9.1 recommends that compliant and secure systems “use either video cameras or access control mechanisms to monitor individual physical access to sensitive areas.” This means that any area housing or processing cardholder data must be outfitted with surveillance and restrictions to physical access. The system must be reliable — resistant to tampering, and able to retain footage for a set period of time.

To fulfill PCI’s guidelines for video security, collected surveillance data must be stored for at least three months. This ensures that security personnel have ample time to review historical footage in the event of an incident compromising card data. Also look for technology with audit logs that can provide a forensic trail in the case of a data breach.

 

How Verkada Helps with Payments Security

Deployed purposefully across your business, Verkada can help simplify and strengthen your PCI compliance regime while delivering insights that improve the efficiency of your operations.

Verkada cameras automatically retain video for 90 days, all without outdated NVRs, DVRs, and server equipment. By default, data is encrypted at all times (in transit and at rest) using modern standards. A Verkada camera can be deployed in minutes — easily add coverage for a data closet, a new POS station, or an entirely new office.

Verkada also addresses needs for data security. All Verkada systems offer SAML/Oath and/or 2-factor authentication, and do not use vendor default passwords. With regards to Requirement 10, Verkada logs and securely backs up all user access information. And when it comes to viewing live feeds or reviewing stored footage, authorized user can gain access via Verkada’s secure cloud-based software, available 24/7 on any device.

Depending on your organization, official PCI compliance is determined by external Qualified Security Assessors, Internal Security Assessors, or a Self-Assessment Questionnaire. Learn more at PCISecurityStandards.org.

Adam Sewall
Adam Sewall is VP of Marketing & Partnerships at Verkada, having previously worked in product and go to market roles at Wizeline and Ooyala, a video technology company. Outside of work, he likes to hike, camp and play ice hockey.
Dec

Digital Zoom in Verkada Command

With this feature release, you can now easily zoom on live and historical video within your Verkada Command account.

Read more
Apr

Meet Verkada at ISC West

See you at ISC West! Meet with our founders, executive leaders, and members of our sales and partnership team at the largest physical security trade show in North America.

Read more