Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can video surveillance improve PCI DSS 3.0 compliance?

Requirement 9.9 of PCI DSS 3.0 focuses on physical security of point-of-sale systems. Expert Mike Chapple looks at whether or not video surveillance can help in that regard.

After reading this article on PCI DSS 3.0, I'm curious: To what extent can video surveillance be used to help meet...

Requirement 9.9, physical access and point-of-sale (POS)?

The controls required by PCI DSS section 9.9 are designed to reduce the likelihood that an intruder will physically tamper with credit card processing devices in an attempt to obtain cardholder information. This may include placing a payment card "skimmer" device on a card processing terminal, or actually replacing an entire piece of hardware with a fraudulent device.

When trying to determine whether or not controls are sufficient to meet a particular requirement, the best course of action to take is to read the testing procedures an auditor will follow to determine if your company is compliant. In the case of Requirement 9.9, the testing procedure reads:

"Examine documented policies and procedures to verify they include:

  • Maintaining a list of devices
  • Periodically inspecting devices to look for tampering or substitution
  • Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices"

Notice there's nothing mentioned about video surveillance, and for good reason. Video surveillance is normally a reactive security control. Unless someone is actually watching the video surveillance -- which is unlikely in the case of many point-of-sale terminals -- they can only be used to identify the perpetrator after a breach occurs. The point of this requirement is to prevent and identify tampering or hardware substitution. You can enhance the security of point-of-sale systems by physically securing them and ensuring that staff is trained to recognize suspicious behavior, such as unauthorized individuals working on the devices or snooping around POS and networking equipment.

If you haven't already done so, now would be the time to update your organization's PCI DSS compliance program to ensure it is implementing the inventory, inspection and training requirements required by section 9.9. As of Jan 1 this year, PCI DSS 3.0 became mandatory, and QSAs are urging continuous compliance so enterprises can keep up with the many changes and additional documentation requirements.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Find out about the importance of daily log monitoring for PCI DSS compliance

This was last published in January 2015

Dig Deeper on PCI Data Security Standard

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use video surveillance as a physical security measure?
Cancel
Currently, security is a priority for many organizations and I have been using video surveillance. I rarely have to employ more staff to monitor my business undertakings, though I shouldn't be relying on video surveillance alone.

Customers could be problematic and once in a while, someone would consider causing trouble around the organization. To protect myself from all misgivings, I use video surveillance to ensure duties are carried out as planned and information is safeguarded.
Cancel
We do use video surveillance as a physical security measure. What we have noticed is that, although as the article points out, it is typically a reactive measure, the mere presence of the video cameras serves as a proactive visual deterrent as well. It also allows our security personal to monitor multiple areas of the campus from a single, centralized location.
Cancel
We use video surveillance on those floors that house our PC & Mac labs, medical labs and dental labs. We do not monitor the cameras in real time; instead, we access the recordings only when we know an incident has occurred. Prior to installing the cameras, we had several incidents that went unsolved. Since the installation of the cameras we have had only one minor incident and that was resolved quickly.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close