The Impact of PCI Compliance on DVR and NVRs

By Dave Nieweg, Published on Aug 01, 2008

Surveillance vendors who sell to retail merchants have undoubtedly heard about PCI compliance, but may not understand exactly what it is and how it impacts the security industry. My company, 3xLogic, recently successfully completed a comprehensive PCI compliance audit for our DVR/NVRs. This report shares what we learned and how we achieved this. For more information on how PCI compliance may affect retailers, see our whitepaper on PCI compliance.

At first glance, PCI compliance appears to be an issue between the payment card companies such as VISA and the merchants who accept credit cards. However, as merchants are being required to comply, they are passing some of the impact down to the vendors whose systems sit on their network.

What the merchants aren’t saying is what they want the surveillance vendors to specifically do. We often hear, “We need your system to be PCI compliant before we can put it on the network”, but offer little assistance in defining exactly what PCI compliance means for the surveillance vendor.

In fact, a visit to the PCI Council’s website does little more than to confuse the issue further since it primarily deals with the responsibilities of software companies who provide payment applications and the merchants who accept credit cards. Any attempt to find information about non-payment systems leaves one with a very unclear understanding of a course of action.

WHAT IS PCI?

Simply put, the Payment Card Industry – Data Security Standards (PCI-DSS) is one of a set of requirements designed to help safeguard credit card data from being stolen through network breaches and ineffective IT security practices. Recent high-profile cases including TJX and Hannaford have served to highlight the need for merchants to take some measure of responsibility in protecting cardholder data.

Originally most card providers such as Visa and MasterCard had established their own proprietary rules regarding the handling of credit card data by merchants. Concern and confusion by the merchants over varying and overlapping requirements by the rival card companies prompted the card issuers to create an independent organization and standard for protecting credit card data. This entity is known as the PCI Security Council and while there are actually several standards, the most applicable to our industry is the PCI-DSS.

The PCI-DSS provides a variety of actions that must be taken by both payment software vendors (such as POS applications that handle credit cards) and the merchant themselves in how they configure and protect the network that the payment systems are connected to. The main issue is that any device or application that sits on the merchants’ network could in effect be a potential entry point into the protected network and lead to a compromise of cardholder data.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

It is this need to secure the merchants entire network as well as the devices and software attached to the network that creates the demand for video surveillance vendors to meet PCI requirements, or more specifically, to provide solutions which are secure enough that they do not compromise the merchants network security plan.

Achieving Compliance

So how does a video surveillance vendor (or any other manufacturer for that matter) comply with this request to become PCI compliant?

Be aware that there is no process or standard offered by the PCI Council which allows a non-payment application or network equipment provider to become certified as being PCI compliant. It simply does not exist. Yet, we have merchants who think that they are doing the right thing by asking their vendors to get PCI certification, an impossible task. The answer is in both the details of what we are trying to accomplish and using the proper words when discussing PCI requirements.

What the merchant really wants is to:

1. Build and maintain a secure network

2. Ensure than any solution added to the network does not introduce an insecurity

3. Ensure that added solutions do not break their PCI compliance efforts

4. Have the solution vendor give them some form of validation that the solution is secure, can be maintained in a secure manner, and adheres to industry best practices and standards

5. Have the vendor pick up some of the liability if the network is found not to be secure either through a breach or audit.

So let’s cover each of those five bullets briefly to further understand the impact to surveillance vendors.

The merchant needs to build and maintain a secure network

This should be a basic requirement any vendor seeks to achieve yet the truth is that while the security industry as a whole may be great at physical security, we historically lack the required skill set when it comes to network security. But let’s face it, our solutions are now on the network and therefore we need to learn how to provide secure solutions.

Ensure than any solution added to the network does not introduce an insecurity

There are two issues here that impact surveillance vendors.

This first is the inherent or built-in security that the solution has as it leaves the manufacturers back door. Many solutions being shipped today utilize highly vulnerable technologies such as web applications, non-secured operating systems and may even have a wide variety of exploitable technologies built into the product.

Manufacturers first need to understand the most current threats and then need to evaluate and adapt their architectural design to provide maximum inherent security.

One method to accomplish this is by having a valid and effective Software Development Lifecycle (SDLC) program in place which adheres to industry best practices, meets secure software development standards and has security activities and awareness built-in throughout the process.

The second way that network insecurity can be introduced into the merchants’ network is in how the product is deployed, configured and maintained. Many vendors feel that at this point it is out of their hands, but new pressures on the merchant from the PCI requirements are causing them to push back at the manufacturer.

Simply put, without the manufacturer’s assistance, training and documentation, the merchant and their IT teams have little idea what security issues or potential exploits await your product. They best they can do is to bolt on after the fact security in an effort to isolate the product from the network. The issue is further compounded by the fact that many manufacturers provide solutions which the IT staff cannot maintain the same way that they maintain their other network resources. For these reasons it will become increasingly valuable for manufacturers to develop programs which will assist the merchants in securely deploying and maintaining their products.

Ensure that added solutions do not break their (the merchants) PCI compliance efforts

Merchants are hard at work to meet the requirement of the PCI-DSS and other standards. If manufacturers of products do not fully understand the requirements that need to be met, they may provide a configuration, which although secure, may in fact conflict with the PCI-DSS and therefore render the merchants efforts useless.

By fully understanding the merchants needs, more specifically the governance requirements that the IT staff is trying to meet, the merchant will be more likely to trust that the manufacturer has provided a solution that will enhance and not break their compliance efforts.

Have the solution vendor give them some form of validation that the solution is secure, can be maintained in a secure manner, and adheres to industry best practices and standards

Trust is a great thing and manufacturers who have earned their clients trust are in an enviable position, but today, merchants need more. They need authentic validation that what you say about the security of your product is not only true, but that it can be demonstrated to the entities that they have to answer to. Specifically, these are the auditors and the card companies that are enforcing the PCI standards. Merchants are no longer being taken at their word, and they will no longer take you at yours.

There may be several ways to demonstrate your security and compliance with the standards, but the best by far is to engage in the same type of audit that your clients are subject to which is performed by a certified CISP-compliant auditing firm. You won’t get a certification, but you can ask for a Letter of Conformance, meaning that your processes and products were found by the auditor to comply with the PCI requirements.

The results of the audit give the merchant something they can point to in the event an auditor questions the security or configuration of your product on the network. It may not remove 100% of the concern and there may in fact be further action required by the manufacturer, but it provides the auditor and the merchant with a documented understanding of the actions you took as a manufacturer.

Admittedly, the primary problem faced by manufacturers when seeking out an audit, is exactly what standard the auditor needs to measure against. One way it to utilize the existing PCI-DSS for any issue that applies to the manufacturers’ solution. Obviously there are many sections that only apply specifically to payment applications that will need to be disregarded, but overall will provide a solid starting point.

The next step will be to submit to a full scan by an approved scanning vendor (ASV) with a product configured exactly as deployed. A proper scan will expose commonly exploited vulnerabilities which will need to be mitigated by the manufacturer.

Lastly, the manufacturer will need to fill in the gaps with methods of their choosing, to demonstrate that they have adhered to all applicable development best practices. This can extremely challenging and costly and will vary by the manufacturers client demographic.

Have the vendor pick up some of the liability if the network is found not to be secure either through a breach or audit.

Ironically, if a manufacturer has performed all of the above steps, they will have certainly exposed themselves to a certain amount of liability. After all, the audit has served to document a certain level of security built into your process and product, but should your product fail to perform as stated and even worse, become the primary entry point for a breach, all fingers will point back to the audit. If the manufacturer has provided inaccurate documentation or performance, they will most certainly be liable to some extent.

The challenge to manufacturers of course is how to best mitigate or limit the liability created by meeting these new client requirements. The most direct method of course is to simply provide secure products and programs, but this is not as easy as it seems. Most manufacturers do not currently have these processes and programs in place, and putting them in place can take years. In the case of imported products, it may be highly unlikely that foreign manufacturers will offer the required transparency into their software development practices and create the type of relationship needed to mitigate built-in security issues.

Conclusions

So where does this leave surveillance vendors? The answer may be “in the dark” since there is no clarity and direct solution for this issue. The largest governance our industry had been subjected to in the past was UL certification for which we had a defined process and result. PCI compliance and the mitigation of network security issues is nothing like obtaining a UL certification.

I believe vendors will take two approaches to this issue with one side deciding this is not an issue that should be dealt with by the surveillance industry. My thoughts are that if it is a client issue, it is a vendor issue and vendors who choose not to address their client’s concerns may find their product is less desirable. There is a large amount of competitive infiltration by complementary industries that do understand the governance requirements of the merchant and this may simply assist them in their marketing efforts.

On the other side we will have the manufacturers who will most certainly recognize the need to provide secure products for a variety of reasons including proprietary and confidential company information on the network. They will work toward putting the processes and procedures in place, although this may take years to accomplish primarily due to the fact it will require significant changes to the way most companies develop, sell and deploy their products. Comments?

By David Nieweg, Marketing Director, 3xLogic, Inc.

Related Reports

Gatekeeper Security Company Profile - Detecting Faces Inside Vehicles on Nov 14, 2019
Border security is a common discussion in mainstream US news and politics, as...
Axis Cracks Down On Illicit Channel Sales on Nov 01, 2019
Axis has stepped up efforts to crack down on illicit channel sales according...
How To See If Your Camera Uses Huawei Hisilicon Chips on Aug 30, 2019
Rarely do manufacturers disclose what SoCs (System on a Chip) they use, even...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Online Video Surveillance Sales Comparison - Amazon, B&H, CDW, LTS, Super Circuits, More on Jul 31, 2019
IPVM has uncovered the key trends and top options being offered across...
IPVM Opens 12,000 Sqft Testing Facility on Dec 16, 2019
IPVM is proud to announce the opening of the world's first video surveillance...
Startup Digeiz Reidentification Video Analytics Profile on Jul 20, 2020
French Start-Up Digeiz is marketing 'shopping centre analytics' with, most...
Milestone XProtect 2019 R3 'Centralized Search' Tested on Oct 30, 2019
Milestone has had problems over the last few years releasing significant new...
How To Quickly Research An Unknown Company on Jul 23, 2019
There are hundreds of companies in the physical security markets, ranging...
Face Shields Impact On Temperature Measurement And Mask Detection on Jul 27, 2020
First, the use of face masks, and now, plastic face shields are rising...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access...
Responsibility Split Selecting Locks - Statistics on Jul 22, 2019
A heated access debate surrounds who should pick and install the locks. While...
Drako's Companies (Brivo, Eagle Eye) Take $4+ Million in PPP Funds on Jul 14, 2020
While centimillionaire Dean Drako is the owner of two of the largest SaaS...
Milestone Has Problems on Oct 01, 2019
Milestone has problems. While the company previously excelled in the shift to...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...