Site Moved a PC=A MESS

DustinB3403

@wrcombs said in Site Moved a PC=A MESS:

So Update on this : they brought out the original networking and communications team: they re hooked the PC back into the correct switch and are in the process of installing 4 x 8port netgear switches on a dedicated network for the PoS. The PoS are all working and can communicate with the back office.

apparently, the switch I was plugged into was a "Jumper" switch that did nothing but feed to the "new office" So i was not on the network.

So they have two physical lans on site? rather than using a vLAN for this?

WrCombs

@dustinb3403 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

So Update on this : they brought out the original networking and communications team: they re hooked the PC back into the correct switch and are in the process of installing 4 x 8port netgear switches on a dedicated network for the PoS. The PoS are all working and can communicate with the back office.

apparently, the switch I was plugged into was a "Jumper" switch that did nothing but feed to the "new office" So i was not on the network.

So they have two physical lans on site? rather than using a vLAN for this?

Correct. My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say, This is the way we were told to do this ( I believe by someone from one our Vendors who deals with PCI daily.)

DustinB3403

@wrcombs that doesn't surprise me about the compliance requirement, there are a bunch of stupid compliance requirements for all sorts of industries.

travisdh1

@wrcombs said in Site Moved a PC=A MESS:

@dustinb3403 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

So Update on this : they brought out the original networking and communications team: they re hooked the PC back into the correct switch and are in the process of installing 4 x 8port netgear switches on a dedicated network for the PoS. The PoS are all working and can communicate with the back office.

apparently, the switch I was plugged into was a "Jumper" switch that did nothing but feed to the "new office" So i was not on the network.

So they have two physical lans on site? rather than using a vLAN for this?

Correct. My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say, This is the way we were told to do this ( I believe by someone from one our Vendors who deals with PCI daily.)

I'd have to question how much said people actually know about PCI compliance. That's not the way the basic technology works, it's all going over the same internet connection, unless they also make you have a direct physical line to the processor.

WrCombs

@travisdh1 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

@dustinb3403 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

So Update on this : they brought out the original networking and communications team: they re hooked the PC back into the correct switch and are in the process of installing 4 x 8port netgear switches on a dedicated network for the PoS. The PoS are all working and can communicate with the back office.

apparently, the switch I was plugged into was a "Jumper" switch that did nothing but feed to the "new office" So i was not on the network.

So they have two physical lans on site? rather than using a vLAN for this?

Correct. My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say, This is the way we were told to do this ( I believe by someone from one our Vendors who deals with PCI daily.)

I'd have to question how much said people actually know about PCI compliance. That's not the way the basic technology works, it's all going over the same internet connection, unless they also make you have a direct physical line to the processor.

Well : you are correct, However, This meets PCI Compliance Standards ( from what I understand, or else we wouldnt be doing it this way . . . i dont know enough, Nor have i looked into it enough . . .)

DustinB3403

@wrcombs said in Site Moved a PC=A MESS:
( i dont know enough, Nor have i looked into it enough . . .)

Said every PCI compliance author ever. . .

WrCombs

@dustinb3403 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:
( i dont know enough, Nor have i looked into it enough . . .)

Said every PCI compliance author ever. . .

HAHAHAHAHAHAHAHA

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

@dustinb3403 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

So Update on this : they brought out the original networking and communications team: they re hooked the PC back into the correct switch and are in the process of installing 4 x 8port netgear switches on a dedicated network for the PoS. The PoS are all working and can communicate with the back office.

apparently, the switch I was plugged into was a "Jumper" switch that did nothing but feed to the "new office" So i was not on the network.

So they have two physical lans on site? rather than using a vLAN for this?

Correct. My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say, This is the way we were told to do this ( I believe by someone from one our Vendors who deals with PCI daily.)

Anyone can make a check list. That doesn't sound like PCI, since no PCI network is done that way.

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,

You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.

A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.

So pretty black and white, your boss said you can't use credit card processing on your PCI network.

WrCombs

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,

You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.

A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.

So pretty black and white, your boss said you can't use credit card processing on your PCI network.

The network can not be Isolated, I agree there would be no way to isolate the credit card processing because you have to use internet to run cards through the system, However, This is how our vendor, Tells us this has to be done. This is, from my understanding, PCI Compliant: PoS arent accessing the internet directly, Card is swiped it goes back to the office software and is sent out to the processor via SSL connection ( Or most recently TLS) , then the response is sent back , held and pushed to the terminal that swiped the card, and payment is added.

The checklist came directly from a PCI testing company, and we pass all PCI compliance scans conducted on our sites, For the few exceptions of the ones using Cameras off of the firewall, which open ports and answers during the test. As far as VLAN's are concerned, I haven't looked into enough on the PCI side of things, but from the Book I had to read before I could start working on sites Credit Cards, It has to be isolated and behind a firewall- The back office is behind a firewall, with 2 NIC's to "Isolate" the PoS network. PoS can not have access to the Internet directly, but through the Back office which send information.

Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,

You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.

A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.

So pretty black and white, your boss said you can't use credit card processing on your PCI network.

The network can not be Isolated, I agree there would be no way to isolate the credit card processing because you have to use internet to run cards through the system, However, This is how our vendor, Tells us this has to be done.

Right, and I'm just repeating back what the vendor told you. The vendor told you that you can't use them, because there is no way to comply.

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

The checklist came directly from a PCI testing company...

that's like doing SEO from an SEO company. 99% of them are total scams. Most actually do the checklist of "what not to do", because they don't even have five minutes of SEO training.

Anyone can be a PCI company. You can start one in minutes yourself. Means nothing.

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).

But you said it was your boss who wanted to be compliant, and then came up with rules that said that you weren't. So the point was, your boss either is SO dumb, or knows he's just being an ass to screw the company.

WrCombs

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).

But you said it was your boss who wanted to be compliant, and then came up with rules that said that you weren't. So the point was, your boss either is SO dumb, or knows he's just being an ass to screw the company.

Maybe it's just easier (for everyone-my boss included) to have two 'separate' networks(?)

Why go through the process of VLANs if you can have a dedicated NIC? It may just be the lazy way of reaching the same goal to me . . .

My boss was pushing the compliance issues, Yes, Because it is his job to make sure compliance is met within every site. You're telling me, If im not mistaken, That following directions coming from the vendor is my boss being Dumb? or Being an Ass?

• Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do no use Vendor- supplied Defaults for system passwords and other security parameters .

I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned.

WrCombs

the full 12 requirements for PCI DSS:

travisdh1

@wrcombs said in Site Moved a PC=A MESS:

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,

You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.

A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.

So pretty black and white, your boss said you can't use credit card processing on your PCI network.

The checklist came directly from a PCI testing company, and we pass all PCI compliance scans conducted on our sites, For the few exceptions of the ones using Cameras off of the firewall, which open ports and answers during the test. As far as VLAN's are concerned, I haven't looked into enough on the PCI side of things, but from the Book I had to read before I could start working on sites Credit Cards, It has to be isolated and behind a firewall- The back office is behind a firewall, with 2 NIC's to "Isolate" the PoS network. PoS can not have access to the Internet directly, but through the Back office which send information.

FFS, this is so convoluted. Just stop treating the PCI checklist as anything other than a complete joke. I've read the entire **** thing, nothing says you need a separate network.

Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).

VLANs could work.

If it were me reading that checklist, I'd be telling the boss "See this item on the check list? What it means is that they are not encrypting traffic from their software properly."

WrCombs

@travisdh1 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,

You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.

A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.

So pretty black and white, your boss said you can't use credit card processing on your PCI network.

The checklist came directly from a PCI testing company, and we pass all PCI compliance scans conducted on our sites, For the few exceptions of the ones using Cameras off of the firewall, which open ports and answers during the test. As far as VLAN's are concerned, I haven't looked into enough on the PCI side of things, but from the Book I had to read before I could start working on sites Credit Cards, It has to be isolated and behind a firewall- The back office is behind a firewall, with 2 NIC's to "Isolate" the PoS network. PoS can not have access to the Internet directly, but through the Back office which send information.

FFS, this is so convoluted. Just stop treating the PCI checklist as anything other than a complete joke. I've read the entire **** thing, nothing says you need a separate network.

I refer to the above post where I said "I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned

VLANs could work.

If it were me reading that checklist, I'd be telling the boss "See this item on the check list? What it means is that they are not encrypting traffic from their software properly."

I even added the full 12 requirements : which For everyone's Information, Is the checklist, Just broke down into a Chart with Separate Sections that we call "The Checklist"

and Like I said at the beginning of the PCI compliance Part of this : " I havent looked into enough, or know enough," at the time I was doing what I was told to do. Because this is what The Vendor Said, and what I was taught.

Dashrender

@scottalanmiller said in Site Moved a PC=A MESS:

@jaredbusch said in Site Moved a PC=A MESS:

@dustinb3403 said in Site Moved a PC=A MESS:

@jaredbusch said in Site Moved a PC=A MESS:

@dustinb3403 said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

@scottalanmiller said in Site Moved a PC=A MESS:

This is called sabotage. Someone broke something by doing something they clearly had no idea how to do. Now they are hiding things from you to keep it from getting fixed. Time to escalate. Let someone know that the Site Manager has overseen damage to the network and that you have no idea what they have done and that they either aren't able to tell you or are unwilling to do so. Communicate to the powers that be. The Site Manager is responsible, so of course he's trying to blame you. It's HIS fault.

You might need to suggest that given the unknown state of things, starting from scratch might be the best way to quickly resolve issues and know what the state of things is and what has been done.

And get it in writing that sites cannot make changes as policy.

My suggestion was to run new Cables to eat PoS Terminal and go from there. The network tech told him to get the team that moved it back out there - because was not either of our companies that made the move.
Everything has been documented, I may need to just escalate this some more.

What company did it? And why is the site manager allowing random, third party companies to touch stuff?

Another Vendor said " I think this is how this goes so I will Do it." and he allowed them too; this is the new Site manager- the one who allowed them to move it is no longer with the site.

The who what or why is the least important thing to be concerned about now. If you have a cable tester, and a have a general idea of where the cable is going, check the switch to see if any of the ports are currently off.

Then put the cable tester on the PC end and get take the switch end and connect it to the tester. This will identify the cable as either being the "one" or not.

From there you just move the cable from that switch port to the new office space as the PoS or Internet line and plug it all back in.

That kind of cable testing is only a continuity tester. that does nothing for a live network because a jack plugged into a switch will not let it work right.

I know, which I why the testing is from the wall to the punchdown block.

That's why the LinkSprinter (or similar form other companies) is a staple for anyone doing actual network wiring for a living.

I love mine.

I love the free one I got!

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

@scottalanmiller said in Site Moved a PC=A MESS:

@wrcombs said in Site Moved a PC=A MESS:

Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).

But you said it was your boss who wanted to be compliant, and then came up with rules that said that you weren't. So the point was, your boss either is SO dumb, or knows he's just being an ass to screw the company.

Maybe it's just easier (for everyone-my boss included) to have two 'separate' networks(?)

So you are just thinking he's a flat out liar that is disrespecting you? Reasonable. But having to deploy and maintain a physically separate network is just more work, for everyone. So doesn't really stand up as logical.

scottalanmiller

@wrcombs said in Site Moved a PC=A MESS:

the full 12 requirements for PCI DSS:

Right. Crystal clear, no separate networks needed, or even suggested.