Payment Card Data Was Sharing
a Network with Guest WiFi
A multi-location retail operation had never completed a PCI DSS assessment. Point-of-sale terminals were on the same flat network as employee workstations and customer WiFi. We fixed it.
The Situation
A multi-location retail operation was running point-of-sale terminals on the same flat network as employee workstations, back-office systems, and customer-facing WiFi. Payment card data was traversing shared infrastructure with no isolation, no segmentation, and no firewall rules restricting access between systems that handle payments and systems that do not.
The business had never completed a formal PCI DSS assessment and was not aware of the exposure. They had a working system, a processing relationship with their bank, and no obvious symptoms — but the liability was real. A breach of cardholder data from a flat network carries significant fines, chargeback exposure, and the potential loss of card processing privileges.
What We Did
Conducted a PCI Scoping Assessment
We identified every system that touches, transmits, or could affect cardholder data — POS terminals, back-office reconciliation workstations, payment processor connections, and any system on a network path that intersects with them.
Isolated Payment Systems on a Dedicated VLAN
All POS terminals were moved to a dedicated VLAN with no lateral access to employee workstations, back-office systems, or any general-purpose network segment. Payment traffic flows only to the payment processor — nothing else.
Enforced Strict Firewall Rules on the Payment Segment
Firewall rules were written to permit only the specific outbound connections required for payment processing. All other traffic from the payment segment is denied by default — not blocked as an afterthought, but designed out of the architecture.
Separated Guest WiFi Onto an Isolated Segment
Customer-facing WiFi was moved onto its own isolated SSID and VLAN with no routing path to any internal network segment. Guests have internet access. They have no access to anything else.
Documented the Network and Implemented Quarterly Access Reviews
Network topology was fully documented. Quarterly reviews are now part of the managed services agreement — firewall rules, VLAN configurations, and access controls are reviewed every 90 days so compliance posture does not degrade over time.
The Outcome
- Cardholder data now isolated to a dedicated, firewall-restricted network segment
- Guest WiFi has zero network path to payment infrastructure
- PCI DSS compliance assessment passed following remediation
- Firewall rules designed to deny by default — payment systems talk only to the payment processor
- Quarterly network access reviews standard — compliance posture is maintained, not assumed
Work With Us
If You Take Card Payments, Your Network Is in Scope for PCI
We will scope your cardholder data environment, identify what is exposed, and give you a fixed-price plan to bring you into compliance — before an incident forces the conversation.