After reading this article on PCI DSS 3.0, I'm curious: To what extent can video surveillance be used to help meet...
Requirement 9.9, physical access and point-of-sale (POS)?
The controls required by PCI DSS section 9.9 are designed to reduce the likelihood that an intruder will physically tamper with credit card processing devices in an attempt to obtain cardholder information. This may include placing a payment card "skimmer" device on a card processing terminal, or actually replacing an entire piece of hardware with a fraudulent device.
When trying to determine whether or not controls are sufficient to meet a particular requirement, the best course of action to take is to read the testing procedures an auditor will follow to determine if your company is compliant. In the case of Requirement 9.9, the testing procedure reads:
"Examine documented policies and procedures to verify they include:
- Maintaining a list of devices
- Periodically inspecting devices to look for tampering or substitution
- Training personnel to be aware of suspicious behavior and to report tampering or substitution of devices"
Notice there's nothing mentioned about video surveillance, and for good reason. Video surveillance is normally a reactive security control. Unless someone is actually watching the video surveillance -- which is unlikely in the case of many point-of-sale terminals -- they can only be used to identify the perpetrator after a breach occurs. The point of this requirement is to prevent and identify tampering or hardware substitution. You can enhance the security of point-of-sale systems by physically securing them and ensuring that staff is trained to recognize suspicious behavior, such as unauthorized individuals working on the devices or snooping around POS and networking equipment.
If you haven't already done so, now would be the time to update your organization's PCI DSS compliance program to ensure it is implementing the inventory, inspection and training requirements required by section 9.9. As of Jan 1 this year, PCI DSS 3.0 became mandatory, and QSAs are urging continuous compliance so enterprises can keep up with the many changes and additional documentation requirements.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Find out about the importance of daily log monitoring for PCI DSS compliance
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading