[PCI DSS 1.x] 9.1.1 Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries.

9.1.1 Verify that video cameras monitor the entry/exit points of data centers where cardholder data is stored or present. Video cameras should be internal to the data center or otherwise protected from tampering or disabling. Verify that cameras are monitored and that data from cameras is stored for at least three months

Does PCI post any guidelines as to how often the data must be reviewed and correlated with other entries? Is this a daily, weekly,monthly or quarterly task?

Great question. PCI DSS is silent on how often the video monitor results are to be monitored. There is a hint in that the recordings are to be kept for 3 months. This would imply that you would monitor them inside of quarterly. I would think weekly would be a good periodicity. A cross-check of the written access log and/or automated badge access log would be good at the same time. I understand from advertising I’m hearing on the radio now that cameras are available that can alert if they detect humans in the field of vision - anytime those alert in off-hours would be a good time to review as well.

Thanks for your answer. We’ve been told that we must audit the data every day, so this point seems to be open to interpretation. Like you, I believe that once a week is all that is needed. Hopefully PCI will clarify this better in future releases.

Daily seems like an overkill unless there are some special risks involved, like poor physical access controls to the room. If PCI DSS wanted a specific review cycle they would have specified it.