Absolutely agree. If he’s running POSs with outdated software then keeping it away from the internet is sensible. I think we’re all making assumptions and we need more info on the devices, software, and the other use cases for the network before we can give any concrete advice.

Yeah I got that. I don’t see the issue though. The previous connection could still be exploited, it’s not like the serial cable stops comms.

I don’t see the issue with the POS terminals having access to the internet. It’s not going to allow inbound connections and the outbound connections will make it much easier to keep them up to date.

Unless I’m missing something here it sounds like they’re trying to make their network unnecessarily complex for no security gain.

I’m not sure I understand the need/concern here, you’re jumping straight to the solution you want, not necessarily need.

What form factor are the POS terminals? iPads, Windows, custom? By default they won’t allow incoming connections anyway. If you’ve got them locked down to a kiosk mode so they only run the POS software and users can’t play with any settings then they’re only going to reach out to legit destinations.

You also need to ensure the terminals are kept up to date, aggressively patch them.

Most routers now have a guest network mode. The simplest network protection for you right now is probably to put your terminals on the main network and everyone else uses the guest network or vice versa.