PCI DSS compliance is a requirement for many merchants and organizations in the United States. Here’s a closer look at how security cameras can be part of an effective PCI compliance solution.
The Payment Card Industry Data Security Standards (PCI DSS, or simply PCI) is a schedule of information security standards that applies to any merchant or organization that handles payment card transactions. PCI compliance standards are designed to ensure the security of payment card information and reduce risks from payment card fraud, identity theft, and payment card hijacking.
This article provides an overview of PCI compliance requirements, challenges, and potential solutions as they relate to security cameras, which can be an important tool for helping organizations meet certain compliance program objectives. This understanding can help you assess your compliance needs and implement appropriate security camera solutions to become or remain PCI compliant.
Understanding PCI Compliance
PCI DSS is administered by the PCI Standards Council, which comprises the major credit lenders. Compliance with the PCI standard is not required by law, but the standard is imposed contractually by payment card companies through their agreements with merchants and service providers.
The PCI Standards Council’s PCI DSS v 4.0 Quick Reference Guide outlines 12 baseline requirements for handling and protecting payment card data throughout the payment lifecycle:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data by business need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
PCI compliance is a requirement for any organization that accepts, handles, stores, transmits, or otherwise interacts with cardholder data. You must be PCI compliant even if you:
- Only process one credit card transaction a month
- Use a third-party payment processor
- Don’t store credit card data, but it passes through your server
- Are a non-profit or non-business entity that interacts with cardholder data
Drawbacks of Being PCI Non-Compliant
Non-compliant organizations fail to capture the substantial value offered by adopting the PCI DSS standards. Non-compliance is associated with the following penalties and drawbacks:
Increased risk of data breaches. Even a single data breach can have a devastating effect on a business: according to the 2023 IBM Cost of a Data Breach Report, the global average cost of a data breach in 2023 was USD $4.45 million.
Reduced safety of cardholder data. Losing cardholder data in a breach or security incident creates unhappy and mistrustful customers, vendors, and partners. Cardholders whose data has been compromised must be notified in writing, which can create significant costs.
Higher potential for reputational damage. Damage to business reputation and customer trust can be difficult to quantify, however, the impact can be felt in reduced sales, loss of market position, employee dissatisfaction, and investor anger.
Potential exposure to fines & awards for damages. Non-compliance fines can be given for a PCI data security incident or breach. Litigation is costly by itself and can lead to expensive damage awards.
Maintaining PCI compliance helps organizations manage risk by reducing data breaches, protecting cardholder data, avoiding fines, and improving brand reputation.
How Security Cameras Can Help Support PCI Compliance
PCI Requirement 9.2.1 states:
“Individual physical access to sensitive areas within the CDE [cardholder data environment] is monitored with either video cameras or physical access control mechanisms (or both) as follows:
Entry and exit points to/from sensitive areas within the CDE are monitored.
Monitoring devices or mechanisms are protected from tampering or disabling.
Collected data is reviewed and correlated with other entries.
Collected data is stored for at least three months, unless otherwise restricted by law.”
The following are some key considerations to more fully understand how to use security cameras for PCI compliance:
Are security cameras required for PCI compliance?
It depends. The PCI standard requires, “either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas,” which allows some flexibility. “Sensitive areas” include:
“data centers, server rooms, back-office rooms at retail locations, and any area that concentrates or aggregates cardholder storage, processing, or transmission. . . This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store ”
Bottom line: If your PCI compliance solution lacks relevant access control, then you will need security cameras monitoring individual physical access to your organization’s sensitive areas.
If I use cameras for PCI compliance, how long do I have to store the data?
For “sensitive areas” defined above, data collected by a security camera system must be retained for at least three months unless restricted by law. If there are multiple entrances/exits, then all entry and exit points must be tracked. Access can be fully monitored by either access control, a camera, or a combination of both.
Additionally, the compliance guidelines state that both primary and backup copies of the footage must exist.
Verkada hybrid cloud cameras are a great solution as they use a combination of onboard camera storage and cloud storage. With this distributed approach to storing video footage, you can ensure continuous recording and no gaps in surveillance footage.
Assessing security camera systems for protection against tampering or disabling
Per the above, security cameras suitable for PCI compliance should have protection against tampering or disabling.
Bad actors attempting to access sensitive areas will often try to disable or interfere with the security camera system. To guard against this risk, security camera systems should have protections against tampering with or disabling the device and/or the footage. While looking for a camera system, the features below are recommendations to look for to help achieve the highest degree of security:
- Your security camera system should operate on a separate network from your payment processing system
- Avoids insecure protocols (e.g. RTSP video streams)
- Uses encrypted connections only (e.g. HTTPS/SSL)
- Encrypts data at rest
- Uses modern standards for identity management & user authentication
- Retains recorded video for at least three months
Key considerations when using security cameras for PCI compliance
Here are four additional considerations specific to security cameras in the context of PCI compliance:
- Regularly scheduled risk assessments. A full understanding of the security camera system, business environment, and threat environment allows for any adjustments needed to maintain compliance and continuously improve processes.
- Employee training & awareness. Educating employees about PCI compliance is essential to program success. Employees who are aware can understand how their role can impact compliance and support ongoing program success.
- Partnering with a vendor. A vendor that understands PCI compliance using security cameras and that offers solutions can remove the burden of program management from your staff, so you can focus on your mission-critical activities. Vendors also have knowledge leadership in the field that typically yields optimal program performance and results.
- Security cameras + access control. A hybrid solution provides the highest level of compliance and protection. Seamless integration of access control with security cameras provides a framework for full visibility and control of your security environment.
Can the video retention be motion-based?
The PCI standard does not specify whether security systems that utilize motion-based video may be used. However, 24/7 recording with time stamps provides a comprehensive, clear record of all entry and exit events in an area for access control purposes.
The advantage of motion-based recording is reduced costs for storage. The disadvantages include false positives from background motion (passing cars, blowing leaves, birds, etc.) and false negatives (cameras not activating to record incidents). 24/7 recording avoids those disadvantages, while the three-month requirement under PCI makes data storage costs manageable.
Achieving PCI compliance is simply the beginning. Maintaining compliance requires a consistent, strategic commitment to an ongoing compliance program. The three most important elements of an effective program are:
- Dedicate resources necessary to continuously maintain compliance. This includes commitments of people and technologies.
- Regularly assess & test the information security environment. Implement a framework to identify whether controls are working and enact appropriate changes that support continuous improvement.
- Mature your vulnerability management. Vulnerability scans, patching, configuration management, passwords, and permissions reviews are part of an ongoing program to understand and respond to evolving vulnerabilities.
Visit the Verkada Blog to learn more about how video surveillance can impact card payment security, or review our Verkada for PCI Compliance paper for an in-depth look at the most advanced and effective solutions in use today.
* Disclaimer: The information in this post is for informational purposes only and should not be relied upon as formal advice for any purpose. You should consult with experts in PCI compliance before taking any action. We make no representations or warranties about the accuracy or completeness of the information presented and may not maintain it. We are not responsible for any damages or losses that may occur because of your reliance on the information in this post.