POS, Camera, and Office Network Segmentation for Auto-Service Shops
Summary: A VLAN-based segmentation guide for auto-service and workshop environments — payment POS devices, license-plate recognition cameras, and office computers.
Summary: Network design in auto-service shops is built around isolating payment devices (POS) under PCI-DSS hygiene, separating license-plate cameras into a recording network, and running workshop operational devices independently from office computers. When everything sits in one flat network and shares a broadcast domain, jumping from the card terminal to the office file server becomes technically possible; the right VLAN segmentation removes that risk by design.
The plate-recognition camera at the entrance of an auto service, the tablet in the workshop, the office PC writing the estimate, the POS at the cashier — if they all hang off the same modem, the shop is exposed to both operational drag and security risk. While a customer is paying, the card terminal and an attachment opened in office email sit on the same network — in practice, an attackable composition.
In this article we cover how POS, camera, and office systems should be separated on the network for auto-service owners and IT leads. Our target scale is independent auto-service shops and dealer back-shops with 2-15 bays.
Three Different Device Profiles on an Auto-Service Network
An auto service has three main device groups with very different purposes. Keeping these three groups on the same network is the most common security gap.
1. POS and Payment Devices
Card terminals (under PCI-DSS scope), the cashier computer, the receipt printer. High security requirement, outbound internet access must be tightly controlled.
2. Camera and Plate-Recognition Systems
Workshop and entry/exit cameras, license-plate-recognition (LPR/ANPR) cameras, the NVR recorder. Continuous high bandwidth, authenticated internal access, limited outbound traffic.
3. Office PCs and Workshop Devices
Quote/estimate software, customer management (CRM), parts inventory, workshop tablets/PCs, printers. Broad internet access, email, web browsing.
When they share the same broadcast domain, a weakness in one group can hop to the others.
Recommended VLAN Structure
A practical VLAN scheme for a standard auto-service shop:
| VLAN | Purpose | Internet Access |
|---|---|---|
| 10 | Management (switches, APs, routers) | None |
| 20 | Office PCs, CRM, quotes | Yes (filtered) |
| 30 | POS / card terminals | Yes (only bank/payment services) |
| 40 | IP phones / PBX | Yes (SIP only) |
| 50 | License-plate and security cameras | Yes (limited, only for cloud backup) |
| 60 | Workshop tablets, mobile devices | Yes (filtered) |
| 100 | Guest Wi-Fi (waiting room) | Yes (internet only) |
Cross-VLAN access is limited by firewall rules. For example, the POS VLAN must never be allowed to reach the office VLAN, and guest Wi-Fi must not reach the internal network.
The POS Segment: PCI-DSS Hygiene
Card terminals are in scope for PCI-DSS. Turkish bank POS providers process card data on the device and send it encrypted to the payment gateway; nonetheless, the network design must still meet a minimum security bar.
Critical Rules
- POS devices live on their own VLAN, on their own switch ports
- This VLAN may only make outbound connections to the bank/payment provider's IPs
- Prefer wired POS connections over Wi-Fi
- If Wi-Fi is required: WPA2/WPA3 Enterprise, a dedicated SSID, MAC filtering
- No general internet browsing or email on the POS network
- No other devices (including printers) on the POS segment
Common Mistakes
| Mistake | Risk |
|---|---|
| POS and office PC on the same switch port | Office → POS hop |
| POS Wi-Fi password unchanged for years | Card-fraud chain |
| POS firmware update skipped | Known vulnerabilities exposed |
| POS connection logs not monitored | Abnormal traffic goes unnoticed |
| Guest Wi-Fi and POS share an SSID | POS visible from a customer's phone |
Camera and Plate-Recognition Segment
License-plate-recognition (LPR/ANPR) cameras have become one of the most common investments at auto-service shops in recent years: as the customer arrives, the plate is read, the previous service record is pulled up on-screen, and the customer is greeted automatically.
Bandwidth Profile
- Standard 4MP IP camera: 4-8 Mbps continuously
- Plate-recognition camera: 8-16 Mbps + AI processing
- A typical 8-camera service: 60-120 Mbps internal network traffic
Plate-Recognition Integration
Plate-recognition systems often require integration with the dealer/service management system (DMS): the camera reads the plate → the API queries the DMS → the vehicle history appears on screen. This integration is built with controlled cross-VLAN access:
- Plate-camera VLAN → DMS server only on specific ports
- One-way; no access from DMS to the camera
- API calls are logged and rate-limited
The KVKK Dimension
A license plate is personal data under KVKK. Recorded plates:
- Must be disclosed in a privacy notice (at the service entrance)
- Must be deleted after a defined retention period (e.g., 90 days)
- Must be inaccessible to unauthorized people
- Must be reflected in the VERBİS filing
Office and Workshop Devices
The office side has the broadest internet access and is therefore the most exposed to phishing and ransomware.
Office Computers
- Email, web browsing, CRM/DMS software
- Endpoint protection (EDR) is mandatory
- Regular patch management
- Backup files on a separate server/NAS, with no direct access
Workshop Tablets
Mobile devices move across the workshop floor; they update work orders, take photos, and look up parts.
- Managed via MDM (mobile device management)
- Remote lock/wipe for drop/loss scenarios
- Personal use disabled (corporate device)
- Charging stations near the workshop entrance, controlled
Workshop Wi-Fi
The workshop is a noisy RF environment: car lifts, welding machines, compressors. Coverage design:
- Industrial-grade APs (dust and moisture resistant)
- Prefer 5 GHz; 2.4 GHz interference is high
- Door/wall openings should be factored into signal-flow planning
Cashier-POS-Office Flow: Controlled Integration
The customer comes to the cashier when service is done, the office staff issues the invoice from the DMS, the POS device processes the amount. That flow crosses three different VLANs:
Office VLAN (DMS) → Invoice issued
↓
Printer (Office VLAN) → Invoice printout
↓
POS VLAN (Card terminal) → Amount processed
↓
POS → Bank (only the external payment service)
Inter-VLAN communication happens only in the necessary directions (DMS API → invoice module) and under strict firewall rules. There is no need for data to flow from POS back to DMS; the payment confirmation is read from the POS screen and confirmed manually by the office staff.
Guest Wi-Fi (Waiting Room)
The customer drops off the vehicle and connects to Wi-Fi in the waiting room. This Wi-Fi:
- Sits on a fully separate VLAN (100)
- Has no access to the internal network whatsoever — explicitly denied at the firewall
- Is logged via a 5651-compliant logger
- User authentication via a captive portal (SMS code is enough)
- Bandwidth limit: 10-20 Mbps per guest
Backup Internet Connectivity
For POS, plate recognition, and remote support, internet outages are not tolerable. A backup link is essential:
- Primary: fiber (Türk Telekom, TurkNet, etc.)
- Backup: 4G/5G or a second ISP
- Automatic failover (simple failover router or SD-WAN)
- Monthly failover test
What Yamanlar Bilişim Offers
End-to-end support areas sized to auto-service shops:
- Physical network discovery of workshop + office
- VLAN design and switch configuration
- PCI compliance audit of the POS segment
- Plate-recognition camera integration
- Controlled cross-VLAN access with the DMS software
- Workshop Wi-Fi coverage design
- 4G/5G failover backup link
- Annual network health check
Frequently Asked Questions
Conclusion
An auto-service network brings together disciplines that range from POS security to plate-recognition KVKK compliance and from workshop Wi-Fi stability to the customer waiting room — in a single design. Proper VLAN segmentation is not only about "security"; it is equally a question of operational efficiency and customer experience.
At Yamanlar Bilişim, we deliver network designs that scale to your service shop's size and existing infrastructure — bringing your cashier, workshop, and office together in one flow, but with the right boundaries.
Frequently Asked Questions
Isn't a single modem easier to manage — why go into VLANs?
The ease is visible, the cost silently builds: one attack on the POS segment breaks your relationship with the bank and can trigger a card-fraud case; a plate-camera stream slowing the office CRM hurts staff productivity. VLANs are 2-3 days of work to set up and then untouched for years. The operational and security payback is not arguable.
My POS provider gave us a Wi-Fi POS — can I accept it?
You can, but the Wi-Fi POS must have its own dedicated SSID, run on WPA2/WPA3 Enterprise, and live on a separate VLAN. A Wi-Fi POS connected to the office Wi-Fi is a poor setup — any computer in the office can see the POS's traffic. Have this conversation explicitly with the provider.
Is a plate-recognition system mandatory under KVKK?
It is not mandatory, but it has become very common. KVKK compliance has two requirements: (1) a privacy notice must be displayed at the entrance (cameras are recording, plates are read, retained for X days, etc.), (2) the VERBİS filing must include camera and plate-recognition processing purposes. If these two are in place, use can rely on legitimate interest, and explicit consent is not required.
Workshop Wi-Fi keeps dropping — what's the fix?
The workshop is a high-RF-noise environment. Home/office APs are not enough. The solution: industrial APs (Aruba 560, Cisco IW, Cambium ePMP), prefer 5 GHz, channel planning, and if needed 2-3 APs across the workshop. A site survey produces a real signal map and finds the trouble spots quickly.
Is it legal to share guest Wi-Fi with office Wi-Fi?
Legally, if a 5651 logger is in place and user connections are logged, the requirement is met. But it is unacceptable from a security perspective — a customer's phone in the waiting room can see your office file server. Legal compliance and security are not the same thing; both are required.
How much does 4G/5G backup internet cost monthly — is the ROI reasonable?
SME packages run TRY 200-500/month. During a one-hour internet outage, POS will not work, the customer cannot pay, and appointments cannot be saved — the operational loss covers the monthly fee very quickly. Failover also keeps work going during the possible long outages of the primary fiber link.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Industry IT Solutions solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Contract Archive and KVKK Architecture for Fleet-Leasing Companies
Contract archives, driver-data KVKK alignment, e-signature integration, and site-to-site VPN for branches in fleet and car-rental companies.
Endpoint Security on Doctor and Clinic Computers: An EDR Playbook
Choosing EDR for doctor workstations in clinics and private practices, extra controls for endpoints carrying patient data, and a USB policy.
IT Infrastructure for Residential Site Management: IP Cameras, Elevator IoT, and Dues Systems
An integrated IT infrastructure and KVKK compliance guide for IP cameras, elevator IoT, dues collection, and resident management systems in residential complexes.