Site Moved a PC=A MESS
-
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,
You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.
A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.
So pretty black and white, your boss said you can't use credit card processing on your PCI network.
The network can not be Isolated, I agree there would be no way to isolate the credit card processing because you have to use internet to run cards through the system, However, This is how our vendor, Tells us this has to be done. This is, from my understanding, PCI Compliant: PoS arent accessing the internet directly, Card is swiped it goes back to the office software and is sent out to the processor via SSL connection ( Or most recently TLS) , then the response is sent back , held and pushed to the terminal that swiped the card, and payment is added.
The checklist came directly from a PCI testing company, and we pass all PCI compliance scans conducted on our sites, For the few exceptions of the ones using Cameras off of the firewall, which open ports and answers during the test. As far as VLAN's are concerned, I haven't looked into enough on the PCI side of things, but from the Book I had to read before I could start working on sites Credit Cards, It has to be isolated and behind a firewall- The back office is behind a firewall, with 2 NIC's to "Isolate" the PoS network. PoS can not have access to the Internet directly, but through the Back office which send information.
Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).
-
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,
You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.
A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.
So pretty black and white, your boss said you can't use credit card processing on your PCI network.
The network can not be Isolated, I agree there would be no way to isolate the credit card processing because you have to use internet to run cards through the system, However, This is how our vendor, Tells us this has to be done.
Right, and I'm just repeating back what the vendor told you. The vendor told you that you can't use them, because there is no way to comply.
-
@wrcombs said in Site Moved a PC=A MESS:
The checklist came directly from a PCI testing company...
that's like doing SEO from an SEO company. 99% of them are total scams. Most actually do the checklist of "what not to do", because they don't even have five minutes of SEO training.
Anyone can be a PCI company. You can start one in minutes yourself. Means nothing.
-
@wrcombs said in Site Moved a PC=A MESS:
Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).
But you said it was your boss who wanted to be compliant, and then came up with rules that said that you weren't. So the point was, your boss either is SO dumb, or knows he's just being an ass to screw the company.
-
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).
But you said it was your boss who wanted to be compliant, and then came up with rules that said that you weren't. So the point was, your boss either is SO dumb, or knows he's just being an ass to screw the company.
Maybe it's just easier (for everyone-my boss included) to have two 'separate' networks(?)
Why go through the process of VLANs if you can have a dedicated NIC? It may just be the lazy way of reaching the same goal to me . . .
My boss was pushing the compliance issues, Yes, Because it is his job to make sure compliance is met within every site. You're telling me, If im not mistaken, That following directions coming from the vendor is my boss being Dumb? or Being an Ass?
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do no use Vendor- supplied Defaults for system passwords and other security parameters .
I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned.
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
-
-
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,
You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.
A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.
So pretty black and white, your boss said you can't use credit card processing on your PCI network.
The checklist came directly from a PCI testing company, and we pass all PCI compliance scans conducted on our sites, For the few exceptions of the ones using Cameras off of the firewall, which open ports and answers during the test. As far as VLAN's are concerned, I haven't looked into enough on the PCI side of things, but from the Book I had to read before I could start working on sites Credit Cards, It has to be isolated and behind a firewall- The back office is behind a firewall, with 2 NIC's to "Isolate" the PoS network. PoS can not have access to the Internet directly, but through the Back office which send information.
FFS, this is so convoluted. Just stop treating the PCI checklist as anything other than a complete joke. I've read the entire **** thing, nothing says you need a separate network.
Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).
VLANs could work.
If it were me reading that checklist, I'd be telling the boss "See this item on the check list? What it means is that they are not encrypting traffic from their software properly."
-
@travisdh1 said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
My boss is pushing PCI Compliance, I don't know enough about it to have an argument against him on this. but according to a PCI Compliance checklist we received last year ( before i was here) It has to be a completely isolated network- Can not be a vLAN, Like I said i don't know enough to have a say,
You can't really believe he's that dumb. He's just saying that. Most people are liars and willing to lie at the drop of a hat to keep from explaining their bad logic or nefarious reasons. It's not really plausible that he's as dumb as you are making him out to be, but easily he's that dishonest.
A fully isolated network means you can't be connected to the Internet, a router or firewall of any sort, etc. There's no way to use credit cards are a physically isolated network, because the credit card processors (Visa, Mastercard, etc.) don't offer a direct connection to them, only ones over shared networks whether phone (no security), fax (no security), or Internet (good security.) The VLAN security is identical to the security of a router or firewall. So the reason for ruling out the one, rules out the other. They are one at the same at the security level - virtual "software" level isolation, not hardware isolation. That's how the entire Internet works.
So pretty black and white, your boss said you can't use credit card processing on your PCI network.
The checklist came directly from a PCI testing company, and we pass all PCI compliance scans conducted on our sites, For the few exceptions of the ones using Cameras off of the firewall, which open ports and answers during the test. As far as VLAN's are concerned, I haven't looked into enough on the PCI side of things, but from the Book I had to read before I could start working on sites Credit Cards, It has to be isolated and behind a firewall- The back office is behind a firewall, with 2 NIC's to "Isolate" the PoS network. PoS can not have access to the Internet directly, but through the Back office which send information.
FFS, this is so convoluted. Just stop treating the PCI checklist as anything other than a complete joke. I've read the entire **** thing, nothing says you need a separate network.
I refer to the above post where I said "I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned
VLANs could work.
If it were me reading that checklist, I'd be telling the boss "See this item on the check list? What it means is that they are not encrypting traffic from their software properly."
I even added the full 12 requirements : which For everyone's Information, Is the checklist, Just broke down into a Chart with Separate Sections that we call "The Checklist"
and Like I said at the beginning of the PCI compliance Part of this : " I havent looked into enough, or know enough," at the time I was doing what I was told to do. Because this is what The Vendor Said, and what I was taught.
-
@scottalanmiller said in Site Moved a PC=A MESS:
@jaredbusch said in Site Moved a PC=A MESS:
@dustinb3403 said in Site Moved a PC=A MESS:
@jaredbusch said in Site Moved a PC=A MESS:
@dustinb3403 said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
This is called sabotage. Someone broke something by doing something they clearly had no idea how to do. Now they are hiding things from you to keep it from getting fixed. Time to escalate. Let someone know that the Site Manager has overseen damage to the network and that you have no idea what they have done and that they either aren't able to tell you or are unwilling to do so. Communicate to the powers that be. The Site Manager is responsible, so of course he's trying to blame you. It's HIS fault.
You might need to suggest that given the unknown state of things, starting from scratch might be the best way to quickly resolve issues and know what the state of things is and what has been done.
And get it in writing that sites cannot make changes as policy.
My suggestion was to run new Cables to eat PoS Terminal and go from there. The network tech told him to get the team that moved it back out there - because was not either of our companies that made the move.
Everything has been documented, I may need to just escalate this some more.What company did it? And why is the site manager allowing random, third party companies to touch stuff?
Another Vendor said " I think this is how this goes so I will Do it." and he allowed them too; this is the new Site manager- the one who allowed them to move it is no longer with the site.
The who what or why is the least important thing to be concerned about now. If you have a cable tester, and a have a general idea of where the cable is going, check the switch to see if any of the ports are currently off.
Then put the cable tester on the PC end and get take the switch end and connect it to the tester. This will identify the cable as either being the "one" or not.
From there you just move the cable from that switch port to the new office space as the PoS or Internet line and plug it all back in.
That kind of cable testing is only a continuity tester. that does nothing for a live network because a jack plugged into a switch will not let it work right.
I know, which I why the testing is from the wall to the punchdown block.
That's why the LinkSprinter (or similar form other companies) is a staple for anyone doing actual network wiring for a living.
I love mine.
I love the free one I got!
-
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
Could VLAN's work here? I'm almost positive they could, Especially because they have the same security as Routers and Firewalls. Would be worth looking into? For me? Probably not, Because this is standard Practice for the company, and other PoS companies use the same checklists and Diagrams, and typologies (I think that's the word I want).
But you said it was your boss who wanted to be compliant, and then came up with rules that said that you weren't. So the point was, your boss either is SO dumb, or knows he's just being an ass to screw the company.
Maybe it's just easier (for everyone-my boss included) to have two 'separate' networks(?)
So you are just thinking he's a flat out liar that is disrespecting you? Reasonable. But having to deploy and maintain a physically separate network is just more work, for everyone. So doesn't really stand up as logical.
-
@wrcombs said in Site Moved a PC=A MESS:
Right. Crystal clear, no separate networks needed, or even suggested.
-
@wrcombs said in Site Moved a PC=A MESS:
My boss was pushing the compliance issues, Yes, Because it is his job to make sure compliance is met within every site. You're telling me, If im not mistaken, That following directions coming from the vendor is my boss being Dumb? or Being an Ass?
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do no use Vendor- supplied Defaults for system passwords and other security parameters .
I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned.
Correct, I'm telling you, straight up, that if your boss claims that those words in ANY WAY suggest you can't use a VLAN, he's either insanely stupid, or a ridiculous liar who thinks you easy to push around.
There is NOTHING about a separate network there. Not one thing.
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
-
@travisdh1 said in Site Moved a PC=A MESS:
VLANs could work.
VLANs aren't even needed, according to the PCI checklist. We are literally two whole steps away from the checklist to where his boss is.
Checklist: You need one network with a firewall.
Overkill: Have an isolated network using VLANs.
Boss: Have an isolated network using physically separate equipment that then comingles at the firewall and defeats the purpose.
-
@wrcombs said in Site Moved a PC=A MESS:
I refer to the above post where I said "I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned
Right. PCI is easy. Like super, duper, fantastically easy. All PCI is is "don't be stupid, follow really ridiculously trivial IT security standard practices", nothing more. Literally, not one thing more. But way less. It's not even as strict as a proper IT department would be.
No network, anywhere, doesn't have a firewall. Maybe your grandmother doesn't, but no business can have Internet access without one today. It's fine that they list it as a requirement, but it's like telling us that all humans entering a foot race must have feet. Um, duh. What makes you have a network in the first place? The firewall. If you didn't have the firewall, you can't reasonably have a network to even secure!
So the checklist is mostly just fluff, just there to say that it exists. Your boss isn't trying to be secure (he's not adding any security), nor is he trying to be easy (he's making things complicated.) What he's doing is wasting resources, disrespecting everyone involved, and any time someone is just being insane... creating insecurity and risk! That's right, your boss is your security risk - because he doesn't use reason or logic. That's where you run into the real problems, when you get people in charge who don't understand what they are doing, don't follow basic standards, and don't trust people who do know and instead start making random, crazy, uninformed decisions and forcing them on people.
Now THAT is what PCI would disallow if a good checklist could be made.
-
@wrcombs said in Site Moved a PC=A MESS:
and Like I said at the beginning of the PCI compliance Part of this : " I havent looked into enough, or know enough," at the time I was doing what I was told to do. Because this is what The Vendor Said, and what I was taught.
The real problem isnt' that you haven't looked into it, but that your boss hasn't looked into it. Your boss can't have even read this checklist casually for how little he seems to know about PCI. He is guiding your company on its PCI compliance, but clearly has less knowledge of PCI than you'd expect to have in passing just from having worked in IT.
-
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
My boss was pushing the compliance issues, Yes, Because it is his job to make sure compliance is met within every site. You're telling me, If im not mistaken, That following directions coming from the vendor is my boss being Dumb? or Being an Ass?
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do no use Vendor- supplied Defaults for system passwords and other security parameters .
I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned.
Correct, I'm telling you, straight up, that if your boss claims that those words in ANY WAY suggest you can't use a VLAN, he's either insanely stupid, or a ridiculous liar who thinks you easy to push around.
There is NOTHING about a separate network there. Not one thing.
I understand that now, at first I was a little confused, but now having seen and looked into everything more based off of what you are telling me , I find that everything you are saying makes perfect sense
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
-
@wrcombs said in Site Moved a PC=A MESS:
@scottalanmiller said in Site Moved a PC=A MESS:
@wrcombs said in Site Moved a PC=A MESS:
My boss was pushing the compliance issues, Yes, Because it is his job to make sure compliance is met within every site. You're telling me, If im not mistaken, That following directions coming from the vendor is my boss being Dumb? or Being an Ass?
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do no use Vendor- supplied Defaults for system passwords and other security parameters .
I guess reading this more thoroughly so I could continue this conversation: no where does it say It has to be a separate or isolated network, Only that It needs to be behind a firewall as far as Networking is concerned.
Correct, I'm telling you, straight up, that if your boss claims that those words in ANY WAY suggest you can't use a VLAN, he's either insanely stupid, or a ridiculous liar who thinks you easy to push around.
There is NOTHING about a separate network there. Not one thing.
I understand that now, at first I was a little confused, but now having seen and looked into everything more based off of what you are telling me , I find that everything you are saying makes perfect sense
Not that it means you can do something about it. But knowing that the boss is most likely just trying to blow you off, or just trying to make things complicated for some personal reason at the expense of the company makes it far better to be able to at least learn from the scenario.
Your quality take aways here include...
- Your boss is not to be trusted (why, we don't know, but a reliable source, he is not.)
- Look for another job (you know this, but it's a reminder.)
- You now know PCI far better than before (and better than your boss.)
- You now have more experience in evaluating someone giving excuses rather than actual logic.
- Straight from PCI Data Security Standard: Build and Maintain a Secure Network: