Credit Card Vendors are probing Clients Networks

c hris527

Known around here
Oct 12, 2015
1,829
2,195
NY
I have a off and on IT client that for the most part is DYI and like to do things themselves. They asked me a few years ago about doing a security system for them, the other guys got the job because of licensing issues here in NY. I got a call from them today and they told me that the credit card vendor will stop doing business with them because of open ports on their router. They have 30 days to resolve this or its curtains for their credit card swiper. I stopped over tonight and turns out its all about what the other guys did, I gave them a choice, I can fix it NOW and close it up and loose the remote viewing or we can get them set with a new router with a VPN. Needless to say they were really pissed off about what I had to say. Now they start bitching about the other guy who installed the system...hahahah ..I did a quick GRC scan and showed them port 80,554,555,556,557 and 558 were open. They paid me and my guess they will try to get the other guys to fix it or do a DYI VPN themselves. This is not the first time I have run into this. I also had a dental office combine phone systems and they ended up taking out my firewalls and put their stuff in for VPN's for the phone systems. I told the client that once they did that, the telecom company owned it and I was not responsible for security issues anymore. Same thing with open ports and the credit card company. Took them about a month to get it fixed.
 
Have the guys who fuQed it up in the first place fix it. Priceless. spank.gif
 
  • Like
Reactions: Maat
I’ve run into this too. It’s all part of PCI compliance. They do more than just scan your firewall. They also scan your internal network from a website you have to log into that grants them access. We got dinged because our DVR had port 80 open on the internal network with no ports forwarded thru the firewall.
 
  • Like
Reactions: mat200
I’ve run into this too. It’s all part of PCI compliance. They do more than just scan your firewall. They also scan your internal network from a website you have to log into that grants them access. We got dinged because our DVR had port 80 open on the internal network with no ports forwarded thru the firewall.

Are you not supposed to have file servers or network printers either? Dinging people for stuff that isn't public facing is ridiculous.
 
Are you not supposed to have file servers or network printers either? Dinging people for stuff that isn't public facing is ridiculous.

Hi @Mr_D

There are security requirements that also apply to internal networking as many CC ID info is "stolen" ( technically copied ) by insiders. So there's a whole list of compliance items you need to address which would include printers and servers on the internal network.
 
I know here in NY I believe the State Comptrollers office will go around to local Municipalities and look at security and backup practices by the Towns and County's and other Authorities deemed Public. I have personally been on the receiving end of that getting them up to snuff. The Days of having someones brother in law putting in a consumer based WiFi so the Employees can get Internet on the phones is over. I have personally seen Open WIFI networks on Town systems and NO router or firewall at all , Just hooked up to a switch and all the computers exposed(that was at a local firehouse).
 
I’ve run into this too. It’s all part of PCI compliance. They do more than just scan your firewall. They also scan your internal network from a website you have to log into that grants them access. We got dinged because our DVR had port 80 open on the internal network with no ports forwarded thru the firewall.
Yeah, I had a hardware store customer go thru the PCI compliance update for their CC machines I think it was '16 or '17. In addition to the "expected" security issues (forwarded ports, uPNP, P2P, etc. on the router) they even get into Wi-Fi security on the same router as the CC machines, no unsecured empty LAN ports out in the open, access to the network and PC's by employees, employee trust and the need for up-to-date, periodically-run antivirus programs on every PC on the network.
 
  • Like
Reactions: mat200
NO, a security system, I lost the bid because the sell here in NY is you MUST be licensed to install security systems. The people who installed the security system port forwarded the router so they can use the mobile app.
How do they define "security system"? The definitions in these statutes are always something you have to pay attention to. It probably doesn't cover network wiring, but a low voltage license could be required.
 
  • Like
Reactions: mat200
How do they define "security system"? The definitions in these statutes are always something you have to pay attention to. It probably doesn't cover network wiring, but a low voltage license could be required.
They are very specific to include any type of surveillance camera installation. New York is actually pretty lax only requiring 81 hours of classroom instruction whereas States like New Jersey require 4 years of work experience etc.
New York State 81hr License Course
 
  • Like
Reactions: mat200
Yeah, I had a hardware store customer go thru the PCI compliance update for their CC machines I think it was '16 or '17. In addition to the "expected" security issues (forwarded ports, uPNP, P2P, etc. on the router) they even get into Wi-Fi security on the same router as the CC machines, no unsecured empty LAN ports out in the open, access to the network and PC's by employees, employee trust and the need for up-to-date, periodically-run antivirus programs on every PC on the network.
That reminds me I've got some really blatant PCI DSS violations I need to report.
 
  • Like
Reactions: mat200
How do they define "security system"? The definitions in these statutes are always something you have to pay attention to. It probably doesn't cover network wiring, but a low voltage license could be required.
Its all lumped in together with Security, fire and alarm systems, and a few other things, like @fenderman said. I know installers who do not have it who have been doing it for years without any issues.
 
I can understand requiring a license to install fire/burglar alarms as those could potentially waste police and fire department resources. But what's the justification for camera installers?
 
  • Like
Reactions: mat200
Yep.
Kinda like in my state...there's a state-collected "Business Privilege Tax" that licensed businesses have to pay every year ON TOP of a state, county or city business license.
Never mind you already have paid for one or more business licenses, are running a business that pays state income and state and local sales taxes, and employs people and helps keep them off welfare or unemployment by doing so....you have to pay for "the privilege of having or running a business."
Bull crap....just another ploy to get money by taxing those trying to support themselves and contribute to their community instead of being leeches and lard-butt do-nothings. :mad:
 
  • Like
Reactions: Maat and looney2ns
I can understand requiring a license to install fire/burglar alarms as those could potentially waste police and fire department resources. But what's the justification for camera installers?
What is to stop a convicted felon from posting a ad on craigslist and install a system in your house, then watch you when you come and go, I know you :as a employee" have to be drug tested if you install and have a clean background. If you are licensed, then you can say all that has been checked. Thats ONE good reason.
 
  • Like
Reactions: Q™