We use a virtual terminal on our computer to process credit cards, so our network has to be scanned for PCI compliance. We are failing our compliance scans and I think it is because of our security camera DVR. We have to have ports 80 and 554 open for remote access to the DVR, and these ports are getting flagged in the report. The report says that we are running Linux 2.6 for our operating system, but our computers are both Windows. There are also several issues regarding lighttpd an older version. I don't know what lighttpd is; I assume it is something running on the DVR.
If this is an issue related to the DVR, what can I do to get a passing scan and secure our network? We have a business gateway, and a physical firewall. Are we going to have to set the security DVR up on a separate physical IP address so that the ports can remain open? I have tried contacting the security company and the PCI compliance company for help, and they have both said I needed to contact Comcast.
Thanks for any help you can provide. I called a Comcast support line, was told I needed to be transferred to Technical Support, then I was hung up on.
Yes, the DVR is likely to be the cause of the failure. For testing purposes, close the ports on your router/firewall and re-run the PCI compliance scan. If you still fail, temporarily disconnect the DVR and re-run again.
In general, it's not recommended to have the DVR exposed to the internet in this fashion; many DVR units are running old versions of software/firmware (as the test says), and very often they have many unpatched security vulnerabilities. I usually recommend that for any type of remote access, a VPN setup is used. There are IT service shops that you can call & request that they come set it up for you; it typically involves the purchase of a specific VPN-capable router, and optionally a software license for connecting to it.
Your suggestion of giving the camera's their own static IP would be a "last resort" in my opinion, as you would still be exposing the camera directly to the internet. Port 80 is typically used for un-encrypted, plain-text web access, so your camera system is likely NOT encrypting your connection. If you can, in the configuration page for the cameras, see if you can enable "HTTPS".
"...We use a virtual terminal on our computer to process credit cards, so our network has to be scanned for PCI compliance..."
No, you don't. This is a very popular misconception that is sold by security companies who are trying to make money by charging fees for scanning networks.
A virtual terminal is a completely encapsulated piece of software that if it is written properly CANNOT be broken into by a network attack on the platform it's running on.
Consider it this way. Supposed instead of a virtual terminal you used the SquareUp virtual terminal on your cell phone with a USB cars swipe on it.
When a cell phone gets on the Internet, it's plugged into a network that has millions of hosts infected with all manner of viruses.
If you configure your cell phone to wireless connect to "your network" then run Square on it, you have exactly the same setup.
So, "your network" can be infected with a virus - yet the SquareUp virtual terminal on your cell phone is no more vulnerable than it was when you were using it on the Internet.
Read the PCI Compliants docs for yourself and don't rely on these security companies who make money with FUD.
ONLY networks where there is a network connect to the credit card processor's network must be PCI compliant.
If your virtual terminal software ISN'T ACTUALLY a virtual terminal - and instead, holds unencrypted credit card swipe data in the same main memory that other application programs use and can access - then you have a software vendor problem. You can somewhat mitigate that by placing this software on a dedicated PC on a network that is completely separated from your main network, and restricting it from access to your network and to anywhere on the Internet other than the credit card processors computers - but that is not worth doing unless your a large site. If your a typical site you should NOT be using such software. Instead you should be using a virtual terminal that is in actuality a TRUE virtual terminal.
In summary - if you have any way of picking up a credit card number from your existing Point Of Sale software - you DON'T have a virtual terminal no matter what the lying software vendor may tell you - you must be PCI compliant. Otherwise if it's truly virtual and isolated, you don't.