What's the claim?

There's a security camera company that has been claiming that PCI compliance requires having 90 days of security camera footage.

This is an incredibly misleading half-truth, so let's unpack this claim.

Who is Making the Claim

This claim is part of a section of a specific company’s sales pitch which, depending on the salesman, implies or directly states that only their equipment is compliant. This is absolutely not the case. Additionally, this company has made several claims that are part of this series and directly markets towards enterprise, corporate, and government-focused clients.

Conflating Different PCI Requirements

Herein lies the issue. There are two different PCI compliance requirements.

Understanding PCI DSS Requirements

Most people know of PCI compliance as the process that they have to jump through in order to accept credit or debit cards. Colloquially, we all call that process "getting PCI compliant," but the reality is that PCI calls that "PCI DSS" Compliance. PCI DSS, here stands for "Payment Card Industry Data Security Standard.". PCI DSS has no specific security camera requirements for accepting credit cards but has some physical security requirements, which imply that you should probably have cameras, locks, access control, or security cameras, depending on your situation. It has absolutely no requirements for footage retention.

Understanding PCI PED Requirements

The problem is that there's another "PCI compliance" - PCI PED, which stands for "Payment Card Industry (PCI) Card Production Security Requirements." PCI PED does require ninety-day retention of video footage for credit card production facilities.

Misinformation Harms the Industry by Creating Mistrust

Although a credit card issuing company like VISA may call the process of getting PCI PED accreditation "PCI compliance," that isn't what most people think of by the term.

Telling a customer half-truth isn't the way to earn customer trust and using misinformation to create fear of non-compliance is a bad sales practice.

Here's the Truth, If You Accept Credit Cards, You Should Get Security Cameras, but You Are Not Required To

A cashier handling money should always be recorded. They could get robbed. They could put money in their pocket. They could accidentally mischarge the customer. A customer could assault them. They could assault a customer. A customer could assault another customer in line. There are multiple reasons to get cameras to watch any place where employees and customers interact, especially where money is exchanged.

Documentation and Proof

Relevant sections, analysis, link to entire documentation, for PCI DSS Compliance

Requirement 9: Restrict physical access to cardholder data

Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all paper and electronic media containing cardholder data.

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

9.2 Develop procedures to easily distinguish between onsite personnel and visitors, such as assigning ID badges.

9.3 Control physical access for onsite personnel to the sensitive areas. Access must be authorized and based on individual job function; access must be revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc. returned or disabled.

Clearly, there's no explicit camera requirement here, but cameras are a good way to remain in compliance with requirement 9.2. It's hard to know if you had a physical security breach if you don't have any video evidence.

Relevant sections, link to entire documentation, for PCI PED Compliance

3.4.5.2 Monitor, Camera, and Digital Recorder Requirements

a) Each monitor, camera, and digital recorder must function properly and produce clear images on the monitors without being out-of-focus, blurred, washed out, or excessively darkened. The equipment must record at a minimum of four frames per second.

CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be via motion activated. The recording must continue for at least a minute after the last pixel of activity subsides.

c) CCTV monitors and recorders must be located in an area that is restricted from unauthorized personnel.

d) CCTV cameras must be connected at all times to:

o Monitors located in the control room

o An alarm system that will generate an alarm if the CCTV is disrupted

o An active image-recording device

Q30 March (update) 2015

Q. For purposes of this requirement, can motion activation recording be used, such that if there is not any activity and associated motion, there is not any need to record? If motion activation is allowed, how long past cessation of motion must be recorded?

A. This requirement is under revision. The new text will state: CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion activated. The recording must continue for at least ten seconds after the last motion has been detected. The recording must capture any motion at least 10 seconds before and after the detected motion.