Handling The Nervous IT Consultant (For Hikvision Remote Access)

What do you have against the VPN setup?

I see nothing wrong with what the IT consultant wants and I would recommend it.

Does anyone have any silver bullets to make this guy roll over?

Yes, but remember it may take three or more, depending on the formula (weight in kg / age + years in biz). 

One of our customers CC processing companies said if we use just the Server and RTSP ports that would be fine. He said there was a problem with the HTTP port being opened.

I am not a network security professional or by any means know much about PCI compliance. But one of our customers CC processing companies told us that would be fine and they passed.

This is common and a real issue. You absolutely can NOT have open ports in the firewall on the IP of the POS network.

Easy fix, have two public IP addresses; one for the POS network and one for the other network.

Now, when they scan the public IP of the POS LAN, it shows everything closed and secure. You can open any ports on the second public IP only.

Now, if the ISP won't support multiple IP addresses per connection, buy a second connection.

Having worked in IT and still being the liaison with IT departments, the biggest mistake security professionals still make is disregarding the customer's IT department's concern for and the responsibility they have for protecting the security of their network. The fact you installed Hikvision already shows not much of a regard for this and you better hope they don't do more homework on the product.

You need to approach it like a partner with a common goal. Even if the suggestions presented here work, and Jon's is one of the better informed ones, how you approach is it also important. Otherwise, more IT departments will be tackling more CCTV projects on their own because they don't feel the security integrators take them seriously.