Most operators think a guest Wi-Fi network with its own name is separated from the network that runs their payments. It is not. A separate SSID broadcasting off the same flat network is still one network, and under PCI DSS 4.0 that means your card processing and your customers browsing on their phones share the same audit scope. The fix is not a setting on your router. It is proper network segmentation, and it lives in the infrastructure your POS runs on, not in the POS software.
Is guest Wi-Fi really in scope for PCI?
If it touches the same network as your payment traffic, yes. PCI DSS scopes every system component that is connected to or could affect the security of the cardholder data environment. A guest network that shares the same flat LAN as your terminals is connected, no matter what you named the SSID. Network segmentation, isolating the cardholder data environment onto its own VLAN with firewall controls between it and everything else, is what takes guest Wi-Fi, back-office machines, and digital signage out of scope. Without it, every device on the network is in scope, and every device is something an assessor can fail you on.
Does a separate Wi-Fi name count as segmentation?
No, and this is the single most common gap we find. A separate SSID is a label, not a boundary. True segmentation means the guest traffic physically cannot reach the payment traffic, enforced by VLANs and firewall rules, and it has to be tested. PCI DSS 4.0 requires segmentation to be validated by testing at least every six months for service providers and at least annually for merchants. A network that was segmented correctly two years ago and never tested since is not a network you want to bring to an audit.
What does PCI DSS 4.0 actually require since March 2025?
PCI DSS 4.0 has been fully in force since March 31, 2025, when the future-dated requirements stopped being best practice and became mandatory. The headline ones for most operators: multi-factor authentication for all access into the cardholder data environment, stronger password rules, and the segmentation testing cadence above. The version in effect today is 4.0.1. None of this is about your point-of-sale application. It is about the network, the access controls, and the platform around it, which is exactly the part most businesses have stitched together from three or four different vendors.
How much does proper segmentation actually save you?
The value is scope reduction. Segmentation that isolates the cardholder data environment can take the large majority of your systems out of PCI scope, which means fewer systems to secure, document, and test, and a faster, cheaper assessment. The downside of getting it wrong runs the other way: non-compliance fines run from 5,000 to 100,000 dollars per month, and IBM put the global average cost of a data breach at 4.88 million dollars in 2024, with hospitality among the fastest-rising sectors. A flat network is not a convenience you are getting away with. It is an open invoice.
Who should own the network and the payments together?
The same team. When your processor, your network installer, and your IT support are three separate companies, segmentation falls into the gap between them, each one assuming someone else handled it. We process your cards through Global Payments on the POS you already run, install the payment hardware white-glove, and build and segment the network underneath it, so the cardholder data environment is isolated correctly the first time and stays that way. One team owns the terminal, the VLAN it talks over, and the firewall in front of it.
Start with payments on your existing POS, then let the same team secure the network it runs on. Book a call and we will scope your segmentation around the deadline you are actually facing.