3xLOGIC

If you sell to retail clients you are probably starting to get a few questions asking if your solution is PCI compliant. 3xLogic has recently completed an independent audit which confirms that our solution is indeed PCI Compliant, but we also recognize the confusion about what exactly PCI is, what compliance means, and how this fits into the bigger security picture.

To help answer some of these questions we have created a special section on our website about PCI and other forms of IT governance which you can reach by going to http://www.3xlogic.com/pci. There you will find a link to our whitepaper which speaks to IT managers about how PCI and video surveillance can coexist.

In addition, we have published an article on the web at www.ipvideomarket.info which further explains what PCI Compliance is and how it affects security dealers and integrators. John Honovich, who runs the ipvideomarket website, said he has received quite a bit of feedback from the industry about the timeliness and relevance of the article to the security industry.

In a nutshell, all retailers who take VISA or other forms of credit card are being required to protect their clients’ card data by adopting the standards set by the PCI Security Council.

While video surveillance typically does not directly handle credit card data, the video systems typically reside on the corporate network and therefore could provide an entry point for hackers to obtain this data. By ensuring that our solutions meet and exceed the requirements of PCI, we are able to help our clients insure that our solutions enhance their compliance efforts.

PCI is a big deal to retailers and PCI compliance is a big deal for anyone wanting to install 3rd party products on a PCI compliant network. However, it is just as important to understand what PCI is not.

PCI is only designed to protect one thing, and that is credit card data. While it may lead to a more secure network it does not provide guidelines for protecting the following:

• Personally Identifiable Information (HIPAA)
• Corporate Financial Data (SOX)
• A company’s other confidential and proprietary data
• The audio/video data within the video surveillance system

Total network security of a surveillance product is just as important as PCI compliance and we have taken proactive steps to ensure not only PCI compliance but total network security.

In doing so we must realize that total network security is a moving target. At 3xLogic we have put a variety of programs in place to address this issue including:

• Designing a highly secure architecture that does not utilize highly vulnerable technologies such as web applications and other vulnerable OS services.
• Building security into our entire development lifecycle with the participation of our dealers and end-user clients.
• Providing full documentation, procedures and training to deals and end-users for the safe deployment and maintenance of our products.
• Keeping an open and structured communications channel with dealers and end-users for new threats, proper mitigation and to assist in non-standard deployments.

Offering a product with total security requires the involvement of all parties including the dealer and the end-user client. If you have a project that requires compliance with any form of governance such as PCI, HIPAA or SOX let us know early on and we can work with you to determine if our solution will work, or not.

In addition, feel free to share your thoughts or ask a question in the comments below.