Security camera NVR is making my network not PCI compliant. What can I do?

Information Security Asked by shywolf91 on November 8, 2021

So family operates a small bar/lounge in Florida and I work for them part time as a bar back / IT technician. For the past couple months we have been trying to become pci compliant. However, we keep running into issues with passing a network vulnerability scan (which I think is being caused by our icrealtime security camera nvr)

We use clover stations for our 3 pos/terminal systems and are, according to cloversecurity site, SAQ type C.

The vulnerability report is as follows:

General remote services - SSL Certificate - Signature Verification Failed Vulnerability httpsport / tcp over ssl 
CGI - HTTP Security Header Not Detected httpsport / tcp 
General remote services - SSL Certificate - Invalid Maximum Validity Date Detected - httpsport / tcp over ssl
General remote services - SSL/TLS Server supports TLSv1.0 - httpsport / tcp over ssl

This is how I have the network set up:
Spectrum modem – > Edgerouter X

On the ERX all 4 ethernet ports are separated (e.g. .1.x , .2.x, .3.x , .4.x).

The .1.x has our jukebox and ATM machine.
The .2.x has our IoT (atm only security camera)
The .3.x and .4.x contain our pos on one and employee and guest wifi (on a r500 AC point)

I have a firewall ruleset allowing only related/established access to the security camera but blocking IoT network from accessing other lans. I am also dropping connections to the http and https ports for the security camera network but the scan still fails.

I can disable https on the box but can’t disable the http and when I do that I still get an error for:

HTTP Security Header Not Detected httpport / tcp 

I’m not sure what else I can do? AFAIK its only the remote gui/webserver of the security camera nvr causing the issues.

additional information: I should have a working security certificate from letsencrypt on the ERX so as I don’t get a warning when accessing the gui on my local network (router gui can’t be accessed outside network and POS network and guest network are blocked from accessing that gui)

2 Answers

It sounds like you've already taken the appropriate step - segregated your networks and limited access between them using a firewall. Now that your IoT network is segregated and out of scope, stop scanning it (for PCI purposes*) and the finding will drop off your PCI report. If you're dealing with an auditor (as opposed to doing a SAQ) then show him a diagram of the separate networks and the firewall separating them.

In short, limit your PCI scope to the .3.x network containing the POS equipment in line with the Network Segmentation section of the DSS. Stop including systems outside that scope in your audit or self assessment.

*Keep scanning it for security purposes

Answered by gowenfawr on November 8, 2021

PCI compliance is for payment processing. Don't put your cameras on your payment processing system.

You want the cameras on their own network so that any camera system compromise doesn’t become a stepping stone into your financial transactions.

You should of course secure the cameras as well, but they need not have any interaction with PCI once they are isolated.

Answered by user10216038 on November 8, 2021

Add your own answers!

Related Questions

Help in Suricata rule bitmask syntax problem

1  Asked on January 18, 2021 by khalid


Challenge-Response authentication and SSL

1  Asked on January 16, 2021 by thunderbolt


Network intrusion security warning in router logs

2  Asked on January 15, 2021 by helpme123


Securing Android Application API access

1  Asked on January 13, 2021 by a-android-ucg


Sqlmap and multipart/form-data forms

2  Asked on January 8, 2021 by brigante


Shared Text Content – XSS Safe

1  Asked on January 8, 2021 by newb-4-you-bb


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP