Providing PCI-Compliant Video Surveillance
If you count retailers in your customer base, you are well aware of the importance of payment card industry (PCI) compliance. If not, you are soon to be on the fast track to understanding how this three-letter acronym will impact your business.
Today, any merchant that accepts credit cards must be in compliance with PCI Security Council standards. These standards were enacted to help safeguard credit card data from being stolen through network breaches and ineffective IT security practices. While there are several PCI security standards, the most applicable to the video surveillance industry is the PCI-DSS (Payment Card Industry — Data Security Standards). PCI-DSS outlines actions that must be taken by both payment software vendors (such as point-of-sale applications that handle credit card transactions) and the merchant themselves in how they configure and protect the network that the payment systems are connected to.
“PCI compliance is a basic requirement for our retail clients today,” stated Bob Lynch of Loss Prevention Solutions Inc., a Pennsylvania-based business security specialist. “Our clients demand certain features specific to their business model and part of that is PCI-compliance.”
To many, PCI compliance appears to be an issue between the payment card companies, such as Visa, MasterCard, American Express, etc., and the merchants who accept or process payment cards. But as more devices reside on the network, merchants want to know that those devices will not compromise their network’s integrity or security. Their concern is that a device or application that sits on their network could in effect be a potential entry point into their protected network and lead to a compromise of cardholder data. This makes PCI compliance a real issue for any video surveillance equipment utilizing the network.
“PCI compliance is a must for our network folks,” emphasized Loss Prevention Director Joe Lindstrom, Ratner Companies, the largest family-owned and operated chain of hair salons in the country, operating nearly 800 salons in 16 states. “Our IS/IT department requires written documentation of PCI compliance and wants to scan any equipment we are considering to deploy in order to verify that our customer’s data will not be compromised.”
It is this need to secure the merchants’ entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI standards. The stakes are high: failure to comply with the standards could result in significant fines for merchants and the possible cancellation of their credit and debit card processing privileges.
“Only a few video surveillance manufacturers claim to have PCI-compliant products,” Lynch said. “Those that can actually document their compliance are few and far between. I found [3xLOGIC] to be on the cutting-edge as it relates to being PCI-compliant.”
So how do video surveillance vendors demonstrate that their devices are secure and compliant with PCI standards? Currently those options are limited. Manufacturers like 3xLOGIC, Westminster, Colo., need to engage a certified Cardholder Information Security Program (CISP)-compliant auditing firm to determine if their processes and products are found to comply with PCI standards and requirements. Products are subjected to a full scan by an approved scanning vendor (ASV) with the product configured exactly as it will be deployed. A thorough scan will expose commonly exploited vulnerabilities that will need to be mitigated by the manufacturer.
“We take all of our prospective vendors and we put them in front of our IS/IT department to help us in our decision-making process because we want to make sure that our data will be secure and that it is going to fit today as well as tomorrow, understanding that PCI compliance changes,” Lindstrom pointed out. “3xLOGIC was the only video surveillance vendor selected by our IS/IT department, especially given our commitment to data security. They proved to be the only supplier that could actually provide us written documentation of PCI compliance and allowed us to scan their equipment in order to verify that.”
The concern that devices added to a network can serve as a potential breach to the network’s integrity cannot be overlooked, yet many loss-prevention teams want to access and view surveillance footage remotely on a daily basis. As such, network connectivity and bandwidth utilization of video management systems is also a concern.
“We suffered before with poor quality video and that was certainly hurting our case for existing capital expenditures as well as securing additional capital, because a system is only as good as its end use,” Lindstrom observed. “What we found very valuable with 3xLOGIC was crystal clear video and the ease-of-use for all of the regional loss prevention folks that were out there. The system actually takes the video and makes it incredibly easy to playback for someone who may not be extremely technical.”
The typical configuration of a camera installation at one of Ratner Companies’ hair salons involves two cameras: one megapixel camera on the front desk and one 360-degree camera in the center of the salon.
“We found that 3xLOGIC’s compression enabled us to have excellent quality video with a megapixel camera, most notably the 360-degree camera — even with our limited bandwidth. Our business is a service-based business and we need to be able to see from all angles to differentiate what type of service is being performed and the megapixel camera from 3xLOGIC provides that,” Lindstrom described.
As the demands for PCI-compliant products grow, the expertise in knowing how to deploy such products without compromising the integrity of a client’s network security plan is paramount — and can lead to long-term relationships.