Why this matters

If you are scoping a surveillance or access-control project, a vendor will tell you a product is "standards-based" as if that settles the question — and it never does, because no single standard covers a whole system. Cameras, recorders, door controllers, card readers, identity databases, and the management software above them each interoperate through a different standard, and the expensive mistakes come from assuming one standard does another's job. Knowing the map lets you write an RFP that asks for the right standard at each layer, avoid buying obsolete wiring in 2026, and tell the difference between a vendor who embraces open standards and one who only claims to. You will not implement any of these protocols; you will gain the vocabulary to specify a system that a second vendor can extend later instead of one locked to its first supplier.

The myth of the one standard

Start by retiring a comforting idea: that somewhere there is a single "security interoperability standard" you can demand and be done. There is not. A working system is a stack, and each layer speaks its own language.

A useful analogy is a building's utilities. The electrical code, the plumbing code, and the fire code are different documents written by different bodies, and a finished building obeys all of them at once. Security interoperability is the same: the standard that lets a recording server pull video from any camera is not the standard that lets a card reader talk to its door controller, which is not the standard that syncs an employee's access rights from the HR database to the badge system. Demanding "ONVIF" for the whole system is like demanding "the electrical code" cover your plumbing.

Layered map of security interoperability standards: ONVIF for video, OSDP for the reader wire, PSIA PLAI and PKOC for identity. Figure 1. The interoperability stack. Each layer of a physical-security system interoperates through a different standard; a real deployment uses several at once. ONVIF dominates the video and device layer; OSDP dominates the reader-to-controller wire; PSIA owns the identity and open-credential layer.

So this article is the map of everything other than the ONVIF video baseline. (If you have not met ONVIF yet, start with ONVIF explained for engineers and the profile decision guide; for the commercial overview Fora Soft maintains, see ONVIF profiles in security systems.)

PSIA: the standard that almost was

The Physical Security Interoperability Alliance (PSIA) is an industry group, founded in February 2008 and incorporated in March 2009, that writes open, license-free specifications for security devices to exchange data. It was born from the same frustration as ONVIF — that physical-security gear was a thicket of closed, proprietary systems requiring custom code to connect anything to anything.

PSIA's design philosophy was ambitious: instead of starting with video, it built a common foundation and layered every security domain on top. It published a family of seven complementary specifications. Three are "reference works" that everything else inherits from — the Service Model, the Common Metadata & Event Model (a shared vocabulary for security events), and the Common Security Model (rules for encryption, keys, and permissions). On top of those sit the domain specs: IP Media Device (video), Recording and Content Management or RaCM (recorders and playback), Video Analytics, and Area Control (access and intrusion). A device that speaks the common event model can, in principle, share an alarm with any other PSIA device without a custom translation.

Technically, PSIA chose a lighter architecture than ONVIF. PSIA is built on REST — the same simple request-and-response style that ordinary web APIs use — while early ONVIF used the heavier SOAP/XML web-services stack (verbose envelopes described by WSDL contracts). On paper, REST is the more modern, developer-friendly choice, and PSIA backers argued it would win on elegance.

The PSIA specification family: three reference works under four domain specs, with PLAI and PKOC still active in 2026. Figure 2. The PSIA specification family. Three reference works underpin the domain specs. The video-era specs lost to ONVIF; the identity and credential work — PLAI and PKOC — is where PSIA stays relevant in 2026.

Why ONVIF won the video race

Elegance did not decide it; adoption did. By the mid-2010s, member companies of ONVIF commanded over 40% of worldwide video-surveillance revenue against roughly 25% for PSIA members, and in network video specifically the gap was wider — close to 60% versus 20% (IMS Research market data, via asmag). Once the largest camera and software makers backed ONVIF, every integrator learned ONVIF, every datasheet advertised ONVIF, and the standard's lead compounded.

The structural reasons matter more than the numbers, because they explain why the lead held. ONVIF's "build one underlying specification, then tackle each discipline separately" approach gave it a single conformance program and a strong legal and testing framework — a camera either passes the Profile S test suite or it does not. PSIA's broader, looser approach left gaps. Device discovery is the clearest example: PSIA allowed several discovery mechanisms (Zeroconf, UPnP, Bonjour), so a PSIA camera using one and a PSIA recorder using another could fail to find each other — interoperability in name, not in practice. ONVIF mandated one discovery method, so conformant products simply found one another.

The honest summary: ONVIF won video because it made conformance testable and mandatory at the device layer, and the market rewarded that certainty. PSIA's reference-model elegance could not overcome it. None of this makes PSIA a failure — it makes PSIA a standard that found its real home elsewhere.

Where PSIA actually lives now: identity and credentials

PSIA's lasting contribution is not video. It is the layer ONVIF historically left alone: who a person is, and what badge proves it.

The most active PSIA specification is PLAI — Physical-Logical Access Interoperability, introduced in 2013. PLAI solves a dull but costly problem. In a large organization the "logical" identity systems (HR, IT directory, single sign-on) and the "physical" access-control systems (the badge readers on doors) are separate worlds that fall out of sync. An employee is terminated in HR on Friday but their badge still opens the lab on Monday. PLAI defines a common way to push identity and privilege data from the authoritative logical source into any conformant physical access-control system, building on identity-world standards already in use — role-based access control and the LDAP directory protocol. Major access vendors including Software House (JCI), Lenel, and Kastle, along with biometric makers such as Idemia and Eyelock, have implemented PLAI adapters.

PSIA's newer work is PKOC — Public Key Open Credential, a fully open, vendor-neutral specification for an access card or mobile credential. Its idea is borrowed from modern cryptography: instead of a shared secret copied onto every card and reader (the weakness of legacy badge formats), each PKOC credential holds a private key that never leaves the card or phone, and the reader verifies it with the matching public key. There are no licensing fees, no proprietary infrastructure, and no per-credential lock-in, and PKOC readers work with both old and new door panels. The PSIA ratified a PKOC-over-OSDP specification on 22 March 2024, tying its open credential to the access wiring standard below.

OSDP: the access-control standard that did win

On the access-control side, there is a standard that won as decisively as ONVIF won video — but at the wire level. OSDP, the Open Supervised Device Protocol, governs how a card reader at a door talks to the access-control unit (ACU) — the controller, usually in a closet, that decides whether the door unlocks.

To see why OSDP matters, meet what it replaces. For forty years, readers connected to controllers over Wiegand, a 1980s standard that sends the card number in one direction only, unencrypted, over a bundle of wires. Anyone who can reach the cable can read the credential or inject a fake one, and the controller cannot even tell if the reader has been unplugged. Wiegand is the unlocked back door of the access industry.

OSDP fixes all three problems and adds distance. It is two-way, so the controller and reader confirm each other and the controller knows instantly if a reader goes offline ("supervised" is the S in OSDP). It runs over RS-485, a rugged two-wire serial bus, and its Secure Channel mode encrypts the link with AES-128. The practical wiring difference is large, and worth doing as arithmetic:

Wiegand:  ~6–12 conductors per reader, point-to-point
          max useful distance ≈ 150 m (500 ft), one home-run cable per reader
OSDP:     2 data wires, multi-drop bus (many readers on one run)
          max distance ≈ 1,219 m (4,000 ft), readers daisy-chained

For a corridor of eight doors, Wiegand means eight separate cable runs back to the controller, each capped near 150 m; OSDP can serve readers from a single RS-485 bus reaching up to 1,219 m, encrypted end to end. OSDP was created in 2008, donated to the Security Industry Association (SIA), and approved as an international standard — IEC 60839-11-5 — in May 2020; SIA published version 2.2.2 in October 2024. Specifying OSDP, not Wiegand, is now the baseline expectation for any new access project.

OSDP vs Wiegand wiring: Wiegand is many-wire, one-way, unencrypted; OSDP is two-wire, two-way, AES-128 encrypted, multi-drop. Figure 3. The reader-to-controller wire. Wiegand is one-way, unencrypted, and one cable per reader, capped near 150 m. OSDP (IEC 60839-11-5) is two-way, AES-128-encrypted, supervised, and multi-drop to 1,219 m. This is the layer ONVIF does not touch.

ONVIF beyond video, and the role of MQTT

ONVIF did not stay in its video lane. It now publishes access-control profiles of its own: Profile A (configuring access rules, schedules, and credentials), Profile C (door control and monitoring), and Profile D (peripherals like locks and readers at the system level). These let a management platform from one vendor configure door controllers from another — the system-to-controller layer. Note the clean division of labor: ONVIF's access profiles standardize how the management software talks to the controller, while OSDP standardizes how the controller talks to the reader on the wire. They are complementary, not competing, and ONVIF and SIA have publicly aligned their efforts on this split.

One more piece glues modern systems together: MQTT, a lightweight publish-and-subscribe messaging protocol (standardized as ISO/IEC 20922 and originally from OASIS) designed to move small messages efficiently between many devices and a central broker. ONVIF's Profile M — its metadata-and-analytics profile — uses MQTT so that an event or an AI-generated detection from one maker's camera can be published to, and understood by, another maker's software. As surveillance shifts from "record everything" to "tell me when something happens," MQTT is becoming the event backbone beneath the video. The detection models that generate those events belong to a different discipline — see the AI for Video Engineering section — but the transport that carries their output is increasingly MQTT.

IEC 62676: the rulebook above the protocols

The standards so far are about connection — how two boxes talk. IEC 62676 is different: it is the international standard that defines what a Video Surveillance System (VSS) must do to be fit for security use. It is a multi-part rulebook: Part 1-1 sets general system and performance requirements; the Part 2 series covers video transmission and interoperability profiles (including 2-11, published in 2024, for VMS and cloud video-surveillance-as-a-service in safe-city and law-enforcement use); Part 3 covers analog and digital interfaces; Part 4 (updated 2025) gives application and planning guidelines; and Part 5-1 defines environmental image-quality testing.

You will rarely cite IEC 62676 in a small commercial install, but it sets the vocabulary for operational requirements — image quality sufficient to observe, recognize, or identify a person — that serious public-sector and regulated tenders demand. Think of it as the standard that says what "good enough" means, while ONVIF and OSDP say how the parts connect.

The standards at a glance

Standard What it standardizes Layer Architecture / wire Status in 2026
ONVIF Camera ↔ software; some access control Device & system Web services / REST over IP Dominant for video; growing in access
PSIA (video) Camera, recorder, analytics interop Device REST over IP Largely superseded by ONVIF
PSIA PLAI Identity sync (logical ↔ physical) Identity REST, built on RBAC + LDAP Active; multi-vendor adoption
PSIA PKOC Open, license-free access credential Credential Public-key (asymmetric) Emerging; ratified over OSDP 2024
OSDP Reader ↔ controller Wire 2-wire RS-485, AES-128 Dominant; IEC 60839-11-5
Wiegand Reader ↔ controller (legacy) Wire Multi-wire, one-way, plaintext Obsolete; being phased out
MQTT Event & metadata transport Messaging Pub/sub over TCP (ISO/IEC 20922) Growing; used by ONVIF Profile M
IEC 62676 VSS requirements & image quality System rulebook Specification, not a wire protocol Reference for regulated tenders

Table 1. The honest map. No row replaces another; a real system stacks several rows at once. The two clear 2026 winners are ONVIF (video) and OSDP (reader wire).

Common mistakes this map prevents

A few errors recur often enough to name. Assuming ONVIF covers access control end to end — it standardizes the management-to-controller link, but the reader-to-controller wire is OSDP's job; specify both. Buying Wiegand in 2026 — it is one-way and unencrypted, and a serious security audit will flag it; OSDP (IEC 60839-11-5) is the modern baseline. Writing off PSIA as dead — it lost video, but PLAI and PKOC own the identity and open-credential layer ONVIF does not. Treating "standards-based" as a yes/no — always ask which standard, which profile, which version, exactly as you would for ONVIF, because the same gap between "conformant" and "fully featured" applies here too (the topic of proprietary camera SDKs beyond ONVIF).

Which standard for which job: ONVIF to pull video, PSIA PLAI to sync identity, PKOC for an open credential, OSDP to wire a reader, MQTT for events. Figure 4. Which standard for which job. The fastest way to use this map: name the job, then specify the standard that owns it. A real system needs several rows at once.

Where Fora Soft fits in

We build the management and ingest layer that has to speak all of these at once. In a multi-vendor video surveillance system, that means a VMS that discovers cameras over ONVIF, falls back to direct RTSP where a device is only partly conformant, consumes events over MQTT, and bridges into access-control and identity systems through their own standards rather than a brittle one-off integration. Our bias is accuracy-vs-performance: we measure what each "standards-based" device actually delivers under load — which features really work over the standard and which quietly need the vendor SDK — before we promise an integrator a clean multi-vendor fleet. Surveillance and computer vision are core to what Fora Soft has shipped across 625+ projects since 2005.

What to read next

Call to action

References

  1. PSIA — Specifications Overview, Physical Security Interoperability Alliance (issuing body). The seven-specification family: Service Model, Common Metadata & Event Model, Common Security Model, IP Media Device, Recording and Content Management, Video Analytics, Area Control; PLAI as the most active. Tier 1. https://psialliance.org/specifications-overview/ (accessed 2026-06-08)
  2. PSIA — All About PLAI, Physical Security Interoperability Alliance (issuing body). PLAI introduced 2013; unifies logical and physical identity; builds on RBAC and LDAP; vendor adoption (Software House/JCI, Lenel, Kastle, Idemia, Eyelock). Tier 1. https://psialliance.org/all-about-plai/ (accessed 2026-06-08)
  3. PKOC & PLAI: Elevating the Experience of Secure Credentials, PSIA white paper (issuing body). PKOC as an open, license-free public-key credential; private key held on the card/device; PKOC-over-OSDP ratified 22 March 2024. Tier 2. https://psialliance.org/wp-content/uploads/2023/03/PSIA-PKOC-White-Paper-V6-Final.pdf (accessed 2026-06-08)
  4. ONVIF Profiles, ONVIF (issuing body). Video profiles S, T, G; access-control profiles A, C, D; Profile M for metadata; Profile Q deprecated 1 April 2022. Tier 1. https://www.onvif.org/profiles/ (accessed 2026-06-08)
  5. Open Supervised Device Protocol (OSDP), Security Industry Association (issuing body). OSDP created 2008, donated to SIA; Secure Channel AES-128; approved as IEC 60839-11-5 in May 2020; SIA OSDP v2.2.2 released October 2024. Tier 1. https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/ (accessed 2026-06-08)
  6. IEC 60839-11-5:2020 — Electronic access control systems — Open supervised device protocol (OSDP), International Electrotechnical Commission. The international OSDP standard: ACU-to-peripheral communication settings, packet formats, commands and replies. Tier 1. https://webstore.ansi.org/standards/iec/iec6083911eden2020 (accessed 2026-06-08)
  7. IEC 62676 series — Video surveillance systems for use in security applications, International Electrotechnical Commission. Multi-part VSS standard: Part 1-1 system requirements; Part 2-11:2024 transmission/interop profiles; Part 4:2025 application guidelines; Part 5-1 environmental image-quality testing. Tier 1. https://webstore.iec.ch/en/publication/83425 (accessed 2026-06-08)
  8. PSIA and ONVIF: Measuring Video Standards, asmag.com (institutional/analyst, IMS Research data). ONVIF members >40% of worldwide video-surveillance revenue vs ~25% for PSIA; network video ~60% vs ~20%. Tier 5; used for market context, not a standards claim. https://www.asmag.com/showpost/9020.aspx (accessed 2026-06-08)
  9. There Is a Hole in the Boat: Why Access Control Professionals Need to Move From Wiegand to OSDP, Security Industry Association. Wiegand's one-way, unencrypted weaknesses and the case for OSDP. Tier 2 (issuing-body commentary). https://www.securityindustry.org/2021/11/09/there-is-a-hole-in-the-boat-why-access-control-professionals-need-to-move-from-wiegand-to-osdp/ (accessed 2026-06-08)
  10. ONVIF To Highlight Open Interoperability Standards at ISC West 2026, SecurityInformed. ONVIF Profile M with MQTT; access-control profiles A/C/D; ONVIF support for SIA's OSDP IP extension; cloud and metadata direction. Tier 5; orientation. https://www.securityinformed.com/news/onvif-highlight-open-interoperability-standards-isc-co-8173-ga.1772688102.html (accessed 2026-06-08)
  11. Why Choose OSDP Over Wiegand in Access Control, Axis Communications white paper (May 2025). RS-485 two-wire multi-drop, Secure Channel, supervised connection, distance vs Wiegand. Tier 4; vendor engineering, corroborating the wire claims. https://whitepapers.axis.com/en-us/osdp-protocol-in-access-control (accessed 2026-06-08)
  12. Physical Security Interoperability Alliance, Wikipedia. Founding (Feb 2008 / incorporated March 2009 / David Bunzel), specification timeline, REST architecture, member list. Tier 6; orientation and history, corroborated against the PSIA site. https://en.wikipedia.org/wiki/Physical_Security_Interoperability_Alliance (accessed 2026-06-08)