What is PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006, to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.
The major credit card companies (VISA, MasterCard, Discover, and American Express) came together and published a uniform set of data security standards that serve those who work with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.
Overview
All Northwestern University departments that accept credit/debit card payments are considered merchant locations and must process those payments in a secure manner. It is the responsibility of each merchant location to maintain compliance with the NU Merchant Card Processing Policy and the Payment Card Industry Data Security Standard (PCI DSS) established by the Payment Card Industry Security Standards Council (PCI SSC).
Treasury Operations is a central e-commerce administrator and compliance resource for Northwestern University merchant locations. All Northwestern University merchant locations must participate in Northwestern University’s PCI training program and compliance initiatives. Failure to fully participate may result in the merchant account being revoked.
Northwestern’s PCI DSS Compliance Program addresses requirements of the PCI SSC, including:
- Security Awareness Education (required PCI DSS Security Training and Attestation)
- Third Party Service Provider (TPSP) engagement
- System Vulnerability Scans
- System Penetration Testing
- Periodic Reviews and Audits
- Annual PCI SAQ (Self-Assessment Questionnaire)
(1) PCI DSS Security Training and Attestation
Per PCI DSS requirement 12.6, Northwestern University requires all Northwestern merchant location personnel interacting with the Cardholder Data Environment (CDE) in any manner (from the initial entry to the final reconciliation) to complete an annual training and attestation. This mandatory requirement includes student employees, contractors and volunteers.
Employees and those with myHR access should complete training in myHR: (PCI DSS: Payment Card Data Security).
Volunteers and those without myHR access should complete this training at: https://sites.northwestern.edu/pcidss/
- Individuals who have not completed training and attestation are not permitted to process Cardholder Data (CHD) on behalf of Northwestern University interests. Merchant locations using untrained or unattested individuals to process CHD may have their merchant account revoked.
Merchant location personnel should also read and understand the Northwestern PCI DSS Compliance Policy.
Treasury Operations may require individual or group participation in additional PCI security awareness education training as needed.
(2) Third Party Service Provider (TPSP) engagement
NU Merchant locations or their representatives, including vendors and other TPSPs, may not enter into legally binding agreements with TPSPs processing or handling any type of CHD (Cardholder Data), or interacting in any other way with the CDE (Cardholder Data Environment) without proper NU vetting and approval first; including but not limited to Treasury Operations, NU IT Security and Compliance, NU Office of General Counsel and NU Purchasing. All agreements with TPSPs must have specific PCI DSS and liability shift language included.
(3) System Vulnerability Scans
Merchants with non-P2PE, on-campus payment systems connected to the Internet are required to run vulnerability scans against their systems. Northwestern University’s contract with Trustwave includes external vulnerability scans that are scheduled on the TrustKeeper Portal; scan reports are posted on the TrustKeeper Portal as well. It is the responsibility of the Merchant to review the scans and address any vulnerabilities that have been identified. Failure to address identified vulnerabilities can result in the Merchant location, as well as the entire University, falling out of compliance. Merchants with PCI-validated P2PE payment systems are not required to run scans.
(4) System Penetration Testing
Northwestern University is now a PCI Level 3 Merchant based upon recent card processing metrics, and NU Merchants with non-P2PE, on-campus payment systems connected to the Internet are now required to have internally conducted penetration testing performed at least quarterly. Since this service is not currently a part of our Trustwave contract, arrangements need to be made by e-Commerce Operations and NU IT Security and Compliance, coordinated with Merchant onsite Administrators and IT staff. Failure to cooperate with this mandatory requirement may result in your Merchant account being revoked. Merchants with PCI-validated P2PE payment systems are not required to run penetration tests.
(5) Periodic Reviews and Audits
Treasury Operations and Northwestern’s PCI DSS partners or consultants may perform periodic reviews or audits of merchant location operations to ensure that merchants comply with PCI DSS and the University's risk is reduced. Failure to cooperate with such activities may result in merchant account usage being revoked.
Merchant locations should also routinely review their procedures and equipment, including physically inspecting card processing equipment to ensure devices have not been substituted or tampered. This Merchant Location Device Inspection Checklist can be used for your inspections.
Please contact ccard@northwestern.edu with questions or to request assistance.
(6) Annual PCI SAQ (Self- Assessment Questionnaire)
All Northwestern University merchant locations are required to validate PCI-DSS compliance at least annually by completing the appropriate SAQ in a timely manner. A questionnaire must be completed for each Merchant account, and a new questionnaire must be filled out whenever any of the following have occurred:
- - payment processing system changes
- - a year has elapsed since your last SAQ
- - upon Treasury Operations request
The SAQ should be completed through the TrustKeeper Portal which is available in the CardConnect CardPointe gateway.
There are 8 types of SAQ. Treasury Operations or Arrow Payments can help determine which type is required for your merchant location environment:
| SAQ Type | Type of Payment System |
|---|---|
| SAQ A | Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. |
| SAQ A-EP | Card Not Present, E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels |
| SAQ B | Merchants using only Imprint machines with no electronic cardholder data storage and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ B-IP | Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ C | Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ C-VT | Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based Virtual Terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. |
| SAQ D | All other SAQ-Eligible Merchants |
| SAQ P2PE-HW | Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels. |
Resources:
Today, it seems cash is a thing of the past, with most shoppers leaning on credit cards or even mobile payment to complete transactions for both physical and online shopping. With the increase in these forms of payments, retailers are responsible for protecting their customers’ critical data from threat actors lurking around every corner, ready to siphon sensitive personal information. Material breaches, those compromising many records or having a significant impact on business operations, are even up 24.5%, with retailers experiencing the largest number across any industry.
Enter the Payment Card Industry Data Security Standard (PCI DSS): the gold standard of compliance for all businesses that store, transmit and process cardholder data, intended to Excellerate the security of sensitive user data. Much like changing regulations for government agencies, retailers are preparing to navigate the next major update: PCI DSS 4.0.
As threat actors set their sights on retailers who begin their journey to comply with PCI DSS 4.0, retail organizations should remember that compliance is only the beginning of their cybersecurity journey. While PCI DSS 4.0 provides guidance toward a stable foundation of cybersecurity best practices that protect critical customer data from new and emerging threats, retailers should build upon these requirements to move from a reactive to a proactive cybersecurity approach.
Changing Tides of PCI DSS 4.0
Effective in 2024, this evolution of PCI marks the first update since 2018 that helps to address many of the technology and cybersecurity evolutions the retail industry is experiencing. While the update brings many positive changes, one of the most concerning changes, in my opinion, is that requirement 12.3.2 allows organizations to customize their approach to proving compliance with each of the PCI DSS security requirements.
On the surface, this is explained away as an evolution of the existing compensating controls model and it makes sense from this perspective. However, as a former PCI internal security assessor and practitioner at several level 1 merchants, this control is concerning because it puts the onus on the qualified security accessor (QSA) to determine if the merchant’s approach and testing methodology is suitable.
In this blog from the PCI Security Standards Council (SSC), the author states that “the customized approach is most successful when the entity has robust security processes and strong risk management practices and is able to effectively design, document, test, and maintain security controls to meet that objective.” However, in my experience, QSA quality varies greatly and is comprised often of a team of junior analysts being led by a senior analyst with backup by a QA team.
This approach is effective when the controls are prescriptive, but as more complex controls are enabled to be implemented and audited via this method, the ability to properly understand and evaluate the custom approach requires senior resources. With the current shortage of expertise in the field, particularly in payment infrastructure and technology, I foresee this gap increasing the time needed to certify a report on compliance, and this potential needs to be factored into the QSA schedule and merchant expectations on timing.
Bruce Schneier once said in an interview that “complexity is the worst enemy of security.” I fear that this allowance for customized approaches will increase the intricacies of a security solution and that a lack of deep domain understanding of the elements of the solution will inadvertently introduce more security holes that aren’t covered by PCI DSS controls, because of the inability to properly test efficacy against the original requirements as set forth in the DSS.
Retail organizations seeking to take this customizable direction should consider the growing opportunities it presents to threat actors looking to exploit those non-standard routes. Additionally, the long lead time to implement these regulations gives attackers a window to use the framework as a blueprint to breach retailers before they have time to implement changes to their cybersecurity strategy.
Balancing Compliance and Security
While many retailers are looking to check the box for compliance, they must remember to look past the standards in PCI DSS 4.0 to create an approach to cybersecurity that protects their critical assets. A proactive approach to cybersecurity strategies consists of regularly assessing risk probabilities and impacts, incorporating cybersecurity into enterprise-wide risk management and working with business leaders to mitigate risks.
While taking on a proactive cybersecurity approach may seem daunting, retailers should prioritize a few essential aspects to develop a holistic strategy:
- Risk scoring and quantification: Risk scoring provides an objective measurement for evaluating security posture that considers a wide range of risk factors. By converting data-driven metrics and threat intelligence into an easy-to-grasp representation of genuine cyber risk, organizations can better understand how safe their assets are and identify security weaknesses with the greatest potential financial impact. Armed with this understanding, they can better control the scope of their risk assessments mandated in requirement 12.
- Vulnerability prioritization: To truly understand cyber risk and prevent breaches, advanced vulnerability prioritization automatically considers threat intelligence, asset context and attack path analysis. This enables smarter and more precise remediation strategies in comparison to just considering CVSS severity. Organizations with complex environments and limited resources can target their effort where it matters by prioritizing vulnerabilities that pose the greatest risk. Prioritization is required by 6.3 and including attack path analysis can help reduce overall scope of the cardholder data environment (CDE).
- Exposure analysis: An exposure is an exploitable vulnerability that a threat actor can access and compromise. Exposure analysis identifies exploitable vulnerabilities and correlates them with an organization’s unique network and security controls to calculate high-risk assets exposed to threat actors. Without exposure analysis, organizations can waste a great deal of time and resources chasing vulnerabilities unlikely to lead to a breach. Understanding network access is a core tenet of the DSS and is key to accurately scope the CDE and avoid wasted audit resources due to the inability to adequately demonstrate segmentation. Exposure analysis is a key capability to prove said segmentation and reduce scope.
By adopting a proactive approach to cybersecurity alongside the latest updates to PCI DSS, retailers will be armed with the proper tools to protect their most critical assets: customer data. These strategies allow retail organizations to build modern cybersecurity programs that defend against the increasing threats the industry faces today, like increasing ransomware and phishing attacks that can result in data breaches.
Terry Olaes is Director of North America systems engineering at Skybox Security. With more than 20 years of experience in IT, his expertise includes IT/OT convergence, audit and compliance, data breaches and incident management. Working on the ground floor at a manufacturing plant, serving as a systems engineer and managing large security teams have provided Olaes with a unique perspective on fortifying IT/OT security posture. He specializes in helping organizations devise the right cybersecurity strategies to help manage vulnerabilities and mitigate risks across IT, OT, and hybrid cloud environments.
Editorial Note: We earn a commission from partner links on Forbes Advisor. Commissions do not affect our editors' opinions or evaluations.
In an increasingly connected digital world, cyberattacks and hacking are ever-present realities. For those working in information technology (IT), a cybersecurity certification is an excellent way to build practical knowledge of how to protect against security threats.
Top-rated credentials are also conducive to job mobility and maintaining your organization’s reputation. Earning a reputable cybersecurity certification requires an investment, as we outline on this page—but it can pay off as well.
What is a Cybersecurity Certification, and Why Pursue One?
Cybersecurity certifications verify that you have extensive, demonstrated knowledge of issues like hacking and cyberattacks. Certification also shows that you understand the best practices and strategies for maintaining organizational privacy and security.
Through earning certifications, IT professionals benefit from detailed training modules and test prep materials. Along with expertise, cybersecurity certifications can bring credibility to employees’ organizations.
If you’re just starting out and wondering how to get into cybersecurity, entry-level certifications are a great place to begin. Likewise, if you’re seeking a more advanced role with a higher cybersecurity salary, certifications can help you meet that goal by bolstering your cybersecurity resume.
How Long Does a Cybersecurity Certification Take?
Certification programs vary in terms of training and test duration. Some certification providers offer multi-day or multi-part modules that can be completed in person, online or in a hybrid format. Many certifications do not require training or coursework, but candidates are encouraged to prepare on their own time.
The Best Cybersecurity Certifications
CompTIA Security+
Recognized as a leading global certification, CompTIA Security+ is a basic, essential credential that validates core skills for cybersecurity professionals. This designation is considered a stepping stone to mid-level roles and satisfies the DoD 8570 compliance.
Students learn to navigate issues via real-world examples and will gain technical expertise in architecture and design, implementation, operations and incident response, governance, compliance and more.
- Exam fee. $392
- Time to completion. The test is 90 minutes long and available both in person and online via Pearson VUE. Candidates who take CompTIA’s CertMaster Learn training course must complete 40 to 50 hours of self-paced materials.
- Professionals who may benefit. Network and cloud engineers, IT project managers, security administrators, IT auditors, security engineers and analysts
Microsoft Certified: Security, Compliance, and Identity Fundamentals
This certification is a great option for individuals seeking a comprehensive understanding of Microsoft’s Security Compliance and Identity (SCI) solutions. It’s recommended that prospective students be familiar with Microsoft Azure and Microsoft 365. They should also have a background in network and/or cloud computing or IT.
- Exam fee. $99
- Time to completion. The test has a 45-minute completion window. Preparation times vary. Microsoft offers two options for test preparation: a free, four-part learning path series, which walks through test essentials at your own pace, and a fee-based (approximately $600), six-hour virtual session facilitated by an instructor.
- Professionals who may benefit. IT professionals seeking new credentials, cybersecurity students looking to complement their studies and anyone interested in Microsoft’s SCI solutions
Certified Information Systems Security Professional (CISSP)
This intermediate-level certification is offered by (ISC)2 and is highly ranked in the cybersecurity field. The credential serves professionals seeking knowledge of security design, implementation and management. Prospective CISSPs should have at least five years of experience to qualify for the exam. Individuals with less experience may pursue the Associate of (ISC)2 certification.
The four-hour test contains between 125 and 175 questions. (ISC)2 offers multiple formats for test preparation, including classroom-based training, online sessions led by instructors, online self-paced modules and private training.
- Exam fee. $749
- Time to completion. CISSP candidates must have at least five years of experience before taking the exam. A four-year degree satisfies one year of this required experience. The test itself lasts four hours.
- Professionals who may benefit. C-level executives and directors of information security; security systems engineers and analysts; security managers, architects, auditors and consultants
Certified Information Security Manager (CISM)®
Ideal for security professionals looking to advance into manager-level positions, this ISACA certification provides tactical knowledge related to information security governance, risk and incident management and program development. In addition to passing the exam, CISM candidates must demonstrate full-time industry experience and complete an application.
- Exam fee. $575 for ISACA members, $760 for nonmembers
- Time to Completion. Candidates must have completed five years of full-time security management work experience. The test itself is four hours. test preparation times vary.
- Professionals who may benefit. Mid-level information security professionals seeking managerial roles
Certified Information Systems Auditor (CISA)®
Professionals in mid- and entry-level cybersecurity jobs can benefit from this certification, which covers five domains: information systems auditing process; governance and management of IT; information systems acquisition, development and implementation; information systems operations and business reliance; and protection of information assets. Like the CISM certification, candidates must pass the test and apply for certification with appropriate industry credentials.
- Exam fee. $575 for ISACA members, $760 for nonmembers
- Time to Completion. The four-hour test comprises 150 multiple-choice questions. Candidates must have at least five years of professional experience in information systems auditing, control or security.
- Professionals who may benefit. Information technology and information security professionals in auditing, control and assurance roles
GIAC Security Essentials Certification (GSEC)
This entry-level credential is a great cybersecurity certification for beginners. The designation moves practitioners beyond basic knowledge, equipping them with the tactical skills to occupy IT systems roles that navigate active defense, cryptography, defensible network architecture, security policy and web security.
- Exam fee. $949 (includes test and two practice tests)
- Time to completion. The exam, which requires proctoring via ProctorU or Pearson VUE, lasts four to five hours and comprises 106 to 180 questions. Preparation time varies.
- Professionals who may benefit. New and established information security professionals in managerial, operations, engineering, supervisory, administrative, analytical and auditing roles
Certified Ethical Hacker (CEH)®
A CEH certification provides cutting-edge training on the most current trends in hacking for security professionals. Presented in a gamified format, the CEH v12 course includes 20 modules covering everything from the basics of ethical hacking to solving real-world hacking challenges across platforms, systems and networks. Prospective CEHs may skip the training and apply for eligibility to take the certification exam.
- Exam fee. $950 to $1,199 depending on test delivery format
- Time to completion. The CEH test lasts four hours. The EC-Council training costs $850 and takes five days to complete. Experienced candidates with at least two years of relevant work experience can apply to take the test without attending training.
- Professionals who may benefit. Information security analysts, administrators, managers, engineers, auditors, officers and administrators
Logical Operations CyberSec First Responder (CFR-410)®
This certification is ideal for security professionals who defend organizations against hackers. With a hands-on approach to mitigating cyberattacks, the CFR program is designed for professionals with an established, working command of IT and cybersecurity issues. The certification test is issued in person or online via Pearson VUE. Interested candidates do not need to submit eligibility verification, documentation or application fees.
- Cost. $350
- Time to completion. The test contains 80 multiple-choice questions and lasts120 minutes. Preparation time varies, but candidates may take a five-day training available at Logical Operations’ online store. This certification is recommended for professionals with at least two years of relevant experience.
- Professionals who may benefit. IT professionals with experience in cybersecurity who are familiar with risk management, vulnerability assessments, organizational policies on cybersecurity and incident response processes
The common hardware interface in PCs, Macs and other computers for connecting peripheral devices such as storage drives and graphics cards. PCI Express (PCIe) was introduced in 2002 as "Third Generation I/O" (3GIO), and by the mid-2000s, motherboards had at least one PCIe slot for graphics. PCIe superseded PCI and PCI-X.
Switched Architecture - Multiple Lanes
Unlike its PCI predecessor, which used a shared bus, PCI Express is a switched architecture of up to 32 independent, serial lanes (x1-x32) that transfer in parallel. Each lane is full duplex (see illustration below).
Internal and External for Laptops
A mini PCIe came out for laptops (see Mini PCI Express) and Thunderbolt extends PCIe outside the computer (see external GPU). For PCIe/PCI comparisons, see PCI-SIG. See PC data buses, PCI, M.2, ExpressCard, Thunderbolt and PCI-X.
PCI Express Data Rate (each direction)
Version 1 Lane 4 Lanes 16 Lanes
(MBps) (GBps)
Gen 1 250 1 4
Gen 2 500 2 8
Gen 3 984 3.94 15.85
Gen 4 1969 7.88 31.51
Gen 5 3938 15.75 63.02
Gen 6** 7877 31.51 126.03
** = planned for 2023
Parallel Transfer of Serial Channels Each lane is an independent single-bit serial channel. PCIe is a type of parallel transfer but each lane has its own clock, which differentiates it from earlier parallel technologies. 
PCIe on the Motherboard This Asus motherboard has four x1 and three x16 slots (two black, one beige). The x16 slots accommodate x16, x8 and x4 cards. (Image courtesy of ASUStek Computer Inc.) 
M.2 Over PCIe This is a 960GB NVMe SSD on an 80x20mm M.2 card. The connection is via PCIe, either via an M.2 socket on the motherboard or a PCIe adapter card. See M.2. 
Different Sizes of PCI Express PCIe sockets are not the same as PCI, and they come in x1, x4, x8 and x16 sizes. 
PCIe Replaced AGP for Graphics The AGP slot gave way to an x16 PCIe slot for the graphics card. (Image courtesy of NVIDIA Corporation.)In this article:
Whether you go the DIY home security route or opt for a professionally installed setup, choosing the right security system for your home is a big decision. You'll find no shortage of options ranging from highly customizable DIY solutions available from brands like Ring, SimpliSafe and Wyze to low-hassle, professional monitoring services from ADT, Vivint and others.
More competition in the home security market makes for more internet-connected gadgets like indoor and outdoor cameras, video doorbells and smart locks. It also brings new vulnerabilities, including an increased risk of hacking. It's a lot to take in, and today's home security providers don't always make it easy to comparison-shop.
That's where we come in. We've put security systems to the test, from top-of-the-line monitored systems with professional installation to wallet-friendly DIY home security system alternatives, including a home security camera (or cameras) and smart home devices monitored via a smartphone app. We'll be updating this article as we go based on hands-on experience so you can be sure you're investing in top home security systems.
Best home security systems of 2023
Installation
Professional installation
Contract Required
No
Voice Assistant
Amazon Alexa, Google Assistant
Additional Fees
24/7 professional monitoring fee
Service Bundles
Internet, phone, cable
Comcast Xfinity Home is a terrific, accessible and affordable service, which is why we gave it an 8 out of 10 in our review. It could cost you thousands less than comparable setups from direct competitors like Vivint and ADT, works with plenty of third-party smart home gadgets and doesn't require a contract. If you can get around Comcast's pressure to bundle with their other services (you don't have to do it!) and the service's limited home automation capabilities, this home security system will treat you well.
Installation
DIY installation
Contract Required
No
Voice Assistant
Amazon Alexa, Google Assistant
Additional Fees
24/7 professional monitoring fee, recording fees
Service Bundles
N/A
Ring's Alarm Pro system has changed the DIY home security game, wrapping a Wi-Fi 6 Eero router into its base device. Not only do you get reliable security performance, but you'll also get access to all sorts of extra features. These include cellular-powered backup Wi-Fi, network security monitoring, local processing and storage for your Ring devices and integration with Alexa's Guard Plus service (provided you have an Echo speaker or display). Considering all the bells and whistles, the Ring Alarm Pro received an impressive score of 9/10 in our review.
Ring still has a troubling history regarding its privacy practices and policies. Still, the Ring Alarm Pro is undeniably one of the smartest DIY home security systems I've ever tested, and it's still competitively priced in a crowded market.
You're receiving price alerts for Ring Alarm Pro
Like SimpliSafe, Wyze allows you to build a custom security system for your home needs. A home monitoring subscription starts at either $10 a month or $100 annually, including the required Wyze Sense Hub for free. From there, you can add motion sensors, cameras, keypads, video doorbells and more. Or you could opt for the Home Security bundle at Amazon, which includes a v3 camera, two door/window sensors, a motion detector, a keypad and the Sense Hub, and a six-month monitoring subscription for less than $150. The only real drawback: Wyze doesn't have a cellular backup in case of power or internet outages. Perhaps that feature will come with time, but for now, we provide the Wyze Home Monitoring system a solid 8.4 out of 10.
You're receiving price alerts for Wyze Home Monitoring
Installation
DIY installation
Contract Required
No
Voice Assistant
Amazon Alexa, Google Assistant
Additional Fees
24/7 professional monitoring fee, storage fee
Service Bundles
N/A
We've tested the SimpliSafe system several times and most recently gave it a review score of 8.5 out of 10. If you're looking for home security -- without all the extra Wi-Fi and smart home integrations of the Ring Alarm Pro -- SimpliSafe's easy-to-install, easy-to-use DIY system is a great option. It offers a comprehensive set of features, including equipment like security cameras and a very good mix of battery-powered motion detection sensors, all of which performed reliably well in our tests. Starter kits begin at less than $250, or you can build a custom alarm system with the exact mix of devices you need. The security company's professional monitoring plan starts at $18 a month, but you'll almost certainly want to spring for the $28-a-month monitoring service plan, which adds in things like mobile app controls and smart home security system voice support via Alexa and Google Assistant.
Installation
Professional installation
Contract Required
No
Voice Assistant
Amazon Alexa, Google Assistant
Additional Fees
24/7 professional monitoring fee, storage fee
Service Bundles
Smart home bundles available
Vivint is a lot more expensive than Comcast Xfinity -- and received a lower review score of 7.7 in part due to the high upfront costs -- but if money is less of a concern than smart home integration, it's worth considering. Vivint gives you a super-polished experience with nice third-party device integrations -- and it doesn't require a contract. With monthly monitoring ranging from $30 to $45 a month, it's comparable month-to-month with Xfinity.
Other home security systems we've tested
Besides the systems above, we've tested many of the top competitors, including Abode, Abode Iota, Frontpoint, Kangaroo, Ring Alarm, Cove and ADT. Abode and Abode's all-in-one security camera Iota were both solid contenders that couldn't quite match SimpliSafe's price, but they're worth checking out if you're interested in DIY smart home systems for small spaces or systems that don't require monitoring subscriptions. Ring Alarm is another solid DIY option, but the company's problems with police partnerships tip us away from recommending it -- especially when a company like Wyze offers such a strong, budget-friendly alternative.
DIY systems Frontpoint, Cove and Kangaroo all had features to recommend them. Frontpoint's system is reliable and its hardware is reasonably priced, but its $45 monthly monitoring fee is too expensive. Kangaroo, by contrast, is incredibly wallet-friendly but its doorbell camera is terrible, so Wyze keeps its edge in the budget category too. Cove Home Security, despite reasonable hardware prices, fell to an overly restrictive subscription model that doesn't allow for self-monitoring or app access without significant monthly fees.
ADT, one of the biggest brands we've tested, was broadly disappointing. It's too expensive, requires a contract and the app is clunky. We've tested AT&T Digital Life, too, though we've removed the system from consideration since the company stopped installing it for new customers.
We have yet to test Brinks Home, though we hope to include it in our considerations in the coming months.
How we test home security systems
Hands-on testing is core to our evaluations of any home security products. In short, when it comes to the best home security systems, we pay special attention to the user experience, the promised features, reliability and overall value -- along with a few other elements. We do the testing in a real home environment over the course of at least a full week. If you want to read more about our review process, check out our in-depth article on how we test home security systems and services.
Home security systems compared
|
|
Comcast Xfinity | Ring Alarm Pro | SimpliSafe (8-piece set) | Vivint Smart Home | Wyze Home Monitoring |
|---|---|---|---|---|---|
| System price | $360 | $300 | $240 | $500 | $100 |
| Monthly monitoring price | $30 | $20 | $18-$28 | $30-$45 | $10 |
| Starter equipment | Touchscreen controller, three door-window sensors, pet-friendly motion sensor, battery and cellular system backup, Xfinity Home Security yard sign | Eero Wi-Fi 6 mesh router, door-window sensors, motion detectors, a keypad, a siren and optional professional monitoring subscriptions | Base station, keypad, motion sensor, four entry sensors, one panic button | Hub, two door window sensors, a motion detector, a flood sensor | v3 camera, two door/window sensors, a motion detector, a keypad and the Sense Hub |
| Contract required? | No | No | No | No | No |
| Setup | Professional installation | DIY installation | DIY installation | Professional installation | DIY installation |
| Extra features | Integration with a large and growing list of third-party devices, flexible pricing | Cellular-powered backup Wi-Fi, network security monitoring, local processing, storage for all of your Ring devices and integration with Alexa's Guard Plus service | Customizable system, built-in Wi-Fi and cellular, integration with Amazon Alexa and Google Assistant | Customizable system, integration with many third-party devices, integration with Amazon Alexa, Google Home and Z-Wave devices | Customizable system, integration with many third-party devices, integration with Amazon Alexa and Google Assistant |
| Review score | 8 | 9 | 8.5 | 7.7 | 8.4 |
What to consider when choosing a home security system
When choosing a home security system for your home, you may be tempted to start with deciding between a DIY setup or one that is professionally installed and monitored. However, when you consider the equipment, installation, monitoring options and other features you want, you'll probably reach a DIY-versus-pro system decision along the way.
Equipment and installation. Do you just need to keep watch over your entryways? A good video doorbell for your front door and an outdoor camera covering the back may be all you need -- easy to install and monitor yourself.
However, if you want to keep closer tabs on your home inside and out with 24/7 monitoring and quick access to emergency response services, you'll want a more robust system. DIY and professional brands offer home security bundles with most, if not all, of the equipment you'd need to get started and the ability to add single devices as needed.
Most home security devices are compatible with Alexa and Google Home smart hubs, but if you prefer Apple HomeKit or another smart home ecosystem, you may have to do a bit more shopping and comparing to find a system compatible with your existing smart home devices. Don't fret over compatibility too much, however, as Matter will make it easier to connect previously noncompatible devices.
Keep in mind all that equipment will need to be installed. While there isn't much to installing a security camera or even a wired video doorbell, whole-home systems can be a bit more demanding to install and set up. If you'd rather leave that to an expert, and have them walk you through how to use the system, a professional home security service may be the way to go.
Monitoring, alerts and emergency features. Virtually all home security systems allow for self-monitoring, likely via an app on your phone. They'll also send you push notifications when there's an event, such as when a package is delivered to your doorstep.
Consider whether you want to be in charge of all the monitoring or if you'd like some support. A professional system will come with 24/7 monitoring, but you may be able to add professional monitoring to your DIY system for a fee, depending on the brand you choose.
More advanced features, such as facial recognition, broken glass detection and communication with emergency services may not be available from all manufacturers and devices. Consider the level of monitoring you want, and who you want to do it, along with the emergency response options, when choosing a home security system.
Costs, upfront and ongoing. I listed "cost" last here for a reason. A complete home security system will likely cost you at least a couple of hundred bucks, so be prepared for that. There's the potential to spend lots more on equipment, of course, or a lot less -- maybe a $35 security camera will satisfy your security needs.
Still, the upfront cost of a home security system is roughly the same from one brand to the next, so don't let cost be the deciding factor. Find a system that has the equipment, installation options, monitoring and features you want first, then compare pricing.
That said, ongoing costs can carry a bit more weight when choosing the best security system. Expect ongoing monthly fees from a professional service and possibly a contract to lock you into those fees for a year or two. While not ideal, signing a contract may come with free equipment or installation and lower upfront costs.
If you're comfortable with self-monitoring, DIY systems may not come with any ongoing costs. Monthly subscriptions (without a contract) for cloud storage, enhanced features and possibly even professional monitoring are typically an option with DIY systems, often for lower monthly fees than professional services.
Home security system FAQs
Do I have to sign a contract for home security?
Contracts are sometimes required for professional home monitoring or to qualify for free equipment, so service from home security providers like ADT, Vivint and Xfinity may include one. That said, it's usually possible to avoid contracts if you pay upfront -- and other home security companies like Ring, SimpliSafe and Wyze offer DIY home security solutions that never require one.
What's the best home security camera system for your home?
Arlo, Nest and Wyze cameras are our top picks for the best home security cameras, but the best one for your home depends on your needs. Be sure to consider price, Wi-Fi connectivity, indoor/outdoor functionality and compatibility with other smart home devices and security services when choosing.
How do I set up a home security system?
Some home security systems come with professional installation, so you can rely on the company to install and set up your system. Others, including many DIY systems, may require self-installation and setup. These systems should come with detailed instructions and are often easy to set up. In most cases, you can simply place or mount the devices where desired, then connect them to your Wi-Fi and other smart home devices (if compatible) via an app.
What's the difference between a wired and wireless alarm system?
In a home security context, there are two ways to look at "wired" vs. "wireless." The first is power -- home security systems require electricity to operate. In that context, a wired system would be one with devices that plug into power and rely on your home's electricity. A fair number of current-gen systems use wireless, battery-powered sensors and battery backups for the base stations that will keep the setup running if the power ever goes out. You can think of those systems as "wireless" as far as electricity is concerned.
There's a second way to look at wired vs. wireless. It concerns connectivity. Every home security system needs to be able to notify you when there's a problem and alert the authorities when there's an emergency. It used to be that systems would notify you with the sound of the alarm and contact authorities via a wired connection to your phone line. Now, most current-gen systems can also notify users of issues with a push alert on their phones. Some will use an internet connection to contact professionals during an emergency.
Even then, we'd still consider the system "wired" if you can stop it from operating by cutting your home's internet signal. That's why many systems include built-in cellular connectivity as a backup. Even if the Wi-Fi goes out (or if a tech-savvy intruder disables it), a system like that will still be able to notify you and the authorities of an emergency by way of that cellular connection. Systems like those are "wireless" in the connectivity sense -- and if they double down with a battery backup as well, then they're as wireless as home security gets.
More home security recommendations
— As Council's latest Principal Participating Organization, MagicCube will help shape the direction of PCI SSC—
NEW YORK, Jan. 16, 2023 /PRNewswire/ -- MagicCube, the company that created the Software Defined Trust (SDT) category and developed i-Accept the soft POS payment solution is excited to announce today that it is now a PCI Security Standards Council (PCI SSC) Principal Participating Organization. MagicCube will help drive security of the future of global payment experiences with a strategic level of leadership, participation, and influence within the Council and the ecosystem.
"By joining as a Principal Participating Organization, MagicCube will have a significant impact .." Lance Johnson, PCI
MagicCube became the only independent Tap-to-Phone / SoftPos vendor to join the PCI Security Standards Council's Board of Advisors a year ago.
PCI SSC leads the global effort to increase payment security by providing flexible, industry-driven, and effective data security standards and programs to support new experiences for the purpose of wider inclusion and adoption. Global industry collaboration is critical to this mission. The Council's Participating Organizations program brings together industry leaders to strategize about how to protect payment data from the emerging threats and to anticipate the needs of an ever-changing payment ecosystem.
In this new role as a Principal Participating Organization, MagicCube will work within PCI to contribute to the strategic direction, technical discussions, and build consensus for the support of the Council's new and progressive initiatives.
"Every day, companies and organizations across the globe face an ever-changing payment landscape with new and evolved threats attacking to their systems, and data," said Lance Johnson, Executive Director of the PCI Security Standards Council. "By joining as a Principal Participating Organization, MagicCube will have a significant impact on how PCI SSC helps them address these challenges especially the direction and development of PCI Security Standards and resources that help organizations prevent, detect, and mitigate attacks on global payment data."
"We are proud of our participation in many of the council's effort, especially our contribution to the MPoC standard for Tap to Pay and soft POS to" said Nancy Zayed, CTO of MagicCube. "Now that we will play a significantly bigger strategic role, we are humbled and excited to push innovative software security technologies designed to be on par with hardware-based security, yet with the ease, practicality, and agility of software."
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.
About MagicCube
MagicCube leads the Software Defined Trust (SDT) category with its software-based, virtual Trusted Execution Environment (vTEE) platform. The technology enables secure, large-scale deployment and management of Internet of Things (IoT) and mobile solutions to consumers. MagicCube was awarded the first recognition of a software-based Trusted Execution Environment issued by EMVCo, the global consortium which facilitates worldwide interoperability and acceptance of secure payment transactions. MagicCube has been named by Network World's one of the "10 Hot IoT Startups to Watch", listed as a Cool Vendor in Security and Risk Management by Gartner, and is the only startup to sit on the board of the PCI Security Standards Council. Investors in MagicCube include Mosaik Partners, Shift4, Bold Capital, Epic Ventures, ID Tech, Sony Innovation Fund, and Visa, among others. For more information, visit www.magiccube.co or follow us on Twitter @MAGIC3INC.
View original content to obtain multimedia:https://www.prnewswire.com/news-releases/magiccube-becomes-a-pci-principal-participating-org-to-help-drive-the-future-of-global-payment-security-301722046.html
SOURCE MagicCube
