krishnacreations - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can video surveillance improve PCI DSS 3.0 compliance?

Requirement 9.9 of PCI DSS 3.0 focuses on physical security of point-of-sale systems. Expert Mike Chapple looks at whether or not video surveillance can help in that regard.

After reading this article on PCI DSS 3.0, I'm curious: To what extent can video surveillance be used to help meet...

Requirement 9.9, physical access and point-of-sale (POS)?

The controls required by PCI DSS section 9.9 are designed to reduce the likelihood that an intruder will physically tamper with credit card processing devices in an attempt to obtain cardholder information. This may include placing a payment card "skimmer" device on a card processing terminal, or actually replacing an entire piece of hardware with a fraudulent device.

When trying to determine whether or not controls are sufficient to meet a particular requirement, the best course of action to take is to read the testing procedures an auditor will follow to determine if your company is compliant. In the case of Requirement 9.9, the testing procedure reads:

"Examine documented policies and procedures to verify they include:

  • Maintaining a list of devices
  • Periodically inspecting devices to look for tampering or substitution
  • Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices"

Notice there's nothing mentioned about video surveillance, and for good reason. Video surveillance is normally a reactive security control. Unless someone is actually watching the video surveillance -- which is unlikely in the case of many point-of-sale terminals -- they can only be used to identify the perpetrator after a breach occurs. The point of this requirement is to prevent and identify tampering or hardware substitution. You can enhance the security of point-of-sale systems by physically securing them and ensuring that staff is trained to recognize suspicious behavior, such as unauthorized individuals working on the devices or snooping around POS and networking equipment.

If you haven't already done so, now would be the time to update your organization's PCI DSS compliance program to ensure it is implementing the inventory, inspection and training requirements required by section 9.9. As of Jan 1 this year, PCI DSS 3.0 became mandatory, and QSAs are urging continuous compliance so enterprises can keep up with the many changes and additional documentation requirements.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Find out about the importance of daily log monitoring for PCI DSS compliance

This was last published in January 2015

Dig Deeper on PCI Data Security Standard