The short answer is that it depends – and as always, we recommend that you confer with your compliance team on questions like this for your bank. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed by the major credit card companies. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance initiative is designed to secure credit card and debit card transactions against data theft and fraud. The PCI Physical Security Requirements Manual establishes very specific standards for CCTV and access control systems - along with other physical security matters - for entities involved in card production and provisioning.
In addition, the PCI SSC set forth a series of 12 requirements to ensure that any companies that accept, process, store, or transmit credit card information are PCI compliant. Number 9 focuses on restricting physical access to sensitive areas. The requirement contends that cardholder data must be physically secure.
Specifically, PCI DSS recommends deploying either entry access control or video surveillance systems to meet the physical access requirement. Additional recommendations under this requirement include:
- Ensuring that video cameras or access control mechanism are monitoring the entry and exit points to sensitive areas
- Verifying that video cameras or access controls are protected from tampering or disabling
- Reviewing collected data and correlating with other entries
- Storing video data or access log data for a minimum of 90 days
It is also advisable to have:
- Both CCTV and access control systems in place to protect the cardholder data located in sensitive areas.
- Twenty-four-hour security footage as opposed to retaining only motion-based video records
- Offsite backup storage for security footage and access control records
For non-sensitive areas, there is no requirement to have video security - and even when present - there are no storage data requirements.