Any company that accepts or produces credit cards must be PCI compliant, which brings forth a series of requirements that a company must adhere to. In this article, we’re going to primarily address PCI DSS (data security standards), the more broadly applicable standard, and explain what type of security camera system you need to be compliant.
It is important that anyone who deals with credit cards adhere to these standards which can be found here.
According to the latest standards, PCI DSS applies to “all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).”
There are other standards related to card production that have even stricter guidelines, but since that only deals with a few specific business types, we’re going to focus this article on the more applicable DSS standards.
The short answer is that it depends. To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:
“Note: ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.”
To summarize, if you don’t have access control, then YES, you need cameras in these sensitive areas to protect cardholder data.
In continuation from the answer above, you aren’t required to have security cameras around your point of sales machines. However, you need either a video security system and/or an access control system anywhere that might house or process sensitive information.
For a large retail store, this might be your server room, data closet, or anywhere else you have machines or servers that process cardholder data. The cameras must be at every entrance and exit so you can document who has entered and left this sensitive area.
For non-sensitive areas (places where you have credit card machines), there is no requirement to have video security and even if you do have it, there is no requirement for the duration the video needs to be retained.
If you are using security cameras for sensitive areas (as defined above), then you need to retain the footage for 3 months and it should capture all entrances and exits so you can identify who has entered and exited at any given time.
There is no explicit requirement for an offsite backup, but requirement 9.5.1 encourages entities to store all media at an off-site facility.
To properly secure sensitive areas, we recommend having 24x7 security footage so that you can see everyone who has entered or exited this area.
There are no other requirements around FPS, night vision, or anything else at the time of this article. If this changes in the future, we’ll be sure to update this article accordingly.
This article sums up the main requirements around PCI compliance. If you’re looking for a PCI compliant video security solution, please feel free to reach out and we can help design a system that works specifically for your needs!
On December 9th 2021, the Apache Log4j project disclosed a zero day vulnerability that affects Log4j. This vulnerability is also known as Log4Shell. Upon learning of this exploit, Rhombus took immediate action to see if any of its services used Log4j. Our analysis over the last few days found the following.
Cybersecurity is becoming an increasing priority for enterprise organizations. Because cybersecurity deals with data, privacy, and security, organizations today are finding that cybersecurity and physical security—especially video surveillance—are unavoidably linked. But what exactly do you need to worry about when it comes to cybersecurity and video surveillance? How can you protect your video security system against breaches and cyberattacks? How do you know that the data privacy of your employees, customers, and more is secure? This guide will help you understand what good cybersecurity standards and practices look like in a video security context. You’ll learn what best practices you personally can follow, and what best practices you should look for in a vendor.
Many CJIS-compliant organizations wonder how video surveillance fits into their security policies. Security cameras help criminal justice organizations secure their facilities and protect employees. However, it’s crucial to maintain CJIS compliance to protect Criminal Justice Information (CJI) while using a video security solution. In this article, you’ll learn how to use security cameras in a CJIS-compliant way, and how you can use video surveillance to strengthen overall CJIS compliance throughout your entire organization.