June 25, 2019
What Type of Video Security System Do You Need to Be PCI Compliant?
Any company that accepts or produces credit cards must be PCI compliant, which brings forth a series of requirements that a company must adhere to. In this article, we’re going to primarily address PCI DSS (data security standards), the more broadly applicable standard, and explain what type of security camera system you need to be compliant.
Who do these PCI standards apply to?
It is important that anyone who deals with credit cards adhere to these standards which can be found here.
According to the latest standards, PCI DSS applies to “all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”
There are other standards related to card production that have even stricter guidelines, but since that only deals with a few specific business types, we’re going to focus this article on the more applicable DSS standards.
Are security cameras required for PCI DSS?
The short answer is that it depends. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:
“Note: ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.”
To summarize, if you don’t have access control, then YES, you need cameras in these sensitive areas to protect cardholder data.
Do you have to use security cameras anywhere you process credit cards?
In continuation from the answer above, you aren’t required to have security cameras around your point of sales machines. However, you need either a video security system and/or an access control system anywhere that might house or process sensitive information.
For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.
If I use cameras for PCI, how long do I have to store the data?
For non-sensitive areas (places where you have credit card machines), there is no requirement to have video security and even if you do have it, there is no requirement for the duration the video needs to be retained.
If you are using security cameras for sensitive areas (as defined above), then you need to retain the footage for 3 months and it should capture all entrances and exits so you can identify who has entered and exited at any given time.
Does the video need to be stored or backed up to an off-premise location?
There is no explicit requirement for an offsite backup, but requirement 9.5.1 encourages entities to store all media at an off-site facility.
Can the video retention be motion-based?
To properly secure sensitive areas, we recommend having 24x7 security footage so that you can see everyone who has entered or exited this area.
Are there any requirements around frames per second, night vision, or anything else?
There are no other requirements around FPS, night vision, or anything else at the time of this article. If this changes in the future, we’ll be sure to update this article accordingly.
This article sums up the main requirements around PCI compliance. If you’re looking for a PCI compliant video security solution, please feel free to reach out and we can help design a system that works specifically for your needs!