POS Network Segmentation and Payment Path Control
Retail networks span thousands of locations, each processing payment card data through point-of-sale systems connected to corporate infrastructure. A single compromised store can provide a path to every other location in the estate.
Retail
When a guest Wi-Fi access point and a payment terminal share the same network, every customer browsing the internet is a potential path to payment card data.
100%
Payment network isolation from store IT
Zero
Persistent vendor paths to POS systems
4
Store network zones with independent governance
Full
PCI DSS 4.0 network segmentation evidence
Retail networks are distributed and high-value targets.
POS Compromise
Point-of-sale systems across thousands of locations create a massive attack surface for payment card data theft.
Flat Store Networks
Many retail locations share a single network for POS, back-office, CCTV, and guest Wi-Fi, enabling lateral movement from any entry point.
Supply Chain Risks
POS software vendors, payment processors, and maintenance contractors each create persistent pathways into the payment environment.
The Scenario
Scenario: Estate-Wide POS Compromise
Attackers compromise a POS software update server and distribute a modified update containing memory-scraping malware. The update propagates to 1,200 stores over a routine maintenance cycle. The malware captures payment card data from POS memory and exfiltrates it through the store internet connection, which shares the same network as the POS systems. Over eight weeks, 4.3 million payment card numbers are stolen. With Firevault Control, POS networks are physically separated from store internet connectivity. The malicious update cannot exfiltrate data because the POS network has no path to the internet. Software updates are delivered through controlled, authorised transfer windows with integrity verification.
"Our PCI assessor told us our segmentation was compliant. But it was VLAN-based. When the attackers compromised the switch management interface, every VLAN boundary in the estate became meaningless."
Where each Control module is deployed across stores, e-commerce, payments and vendors.
Retail estates carry an internet edge, a corporate office, store and POS systems, an e-commerce platform and the cardholder data environment that handles payments. Control puts a real boundary at every change of trust.
Grounded in PCI DSS v4 network segmentation guidance and NCSC retail sector guidance.
Internet / Customers
External
External traffic stops at the perimeter.
Perimeter / DMZ
DMZ · trust boundary
Corporate sits behind its own boundary.
Corporate IT
IT
Corporate cannot reach e-commerce on its own terms.
E-commerce
IT
Store networks are reachable on a defined route.
Stores and POS
Field
Hundreds of physical sites.
Hundreds of physical sites.
Payments segmented to PCI scope.
Payments (CDE)
Data
Cardholder data environment, PCI in scope.
Cardholder data environment, PCI in scope.
Vendor and partner access opens on a schedule.
Vendor zone
DMZ · trust boundary
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
Transaction archives, customer records, evidence and any data you need to keep recoverable.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Firebreak
On the R0 to R1 link and the vendor link
Real hardware off switches on the public and vendor boundaries, ready to sever the live path during a live incident.
-
Validate
On the R0 to R1 link and the R2 to R3 link
Inbound traffic and cross-tier requests are checked for origin and integrity before they progress.
-
Isolate
On the R1 to R2, R2 to R3 and R4 to R5 links
Corporate, e-commerce, stores and payments sit on their own physical fabrics, in line with PCI segmentation expectations.
-
Lock
On the R3 to R4 link and the R4 to R5 link
Store and payments access ties to named users with the right entitlement.
-
Execute
On the R4 to R5 link
Cross-system actions require approval. Execute holds the action until that approval is in place.
-
Relay
On the R3 to R4 link and the vendor link
Store and vendor paths open for the window of work and not a minute more.
-
Unlink
On the vendor link
When a vendor relationship ends, Unlink removes the persistent connection and the inherited trust.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign Payment Data
All payment system configurations and cardholder data paths remain within the agreed jurisdiction in secured Firevault Bunkers.
Multi-Party Update Control
POS software updates and configuration changes require sign-off from both IT operations and security teams before deployment.
PCI DSS 4.0 Evidence
Automated compliance logging generates continuous evidence for PCI DSS 4.0 network segmentation requirements across the entire estate.
Cellular Failover
Out-of-band management via cellular connectivity ensures control over store networks independent of primary WAN connections.
Estate-Wide Audit Trail
Every access, update, and authorisation across all locations is recorded in centralised, tamper-proof logs.
Rapid Store Recovery
Verified baselines of POS configuration enable rapid restoration of compromised stores without relying on production systems.
Demo to Live
Adoption Guide
Estate Network Assessment
Audit network architecture across representative store locations to identify payment path exposure and segmentation gaps.
Store Zone Architecture
Design standardised store network zones for POS, back-office, CCTV, and guest access with Control modules at each boundary.
Pilot Store Deployment
Deploy in a representative group of stores with full payment path isolation, controlled updates, and compliance logging.
Estate-Wide Rollout
Phased deployment across all locations with centralised management, verified configuration baselines, and continuous PCI DSS evidence generation.
Estate Network Assessment
Audit network architecture across representative store locations to identify payment path exposure and segmentation gaps.
Store Zone Architecture
Design standardised store network zones for POS, back-office, CCTV, and guest access with Control modules at each boundary.
Pilot Store Deployment
Deploy in a representative group of stores with full payment path isolation, controlled updates, and compliance logging.
Estate-Wide Rollout
Phased deployment across all locations with centralised management, verified configuration baselines, and continuous PCI DSS evidence generation.
Explore More
Supply Chain Threat
Disconnect third-party paths when not in active use.
Learn more about Supply Chain ThreatRansomware Containment
Sever the path before ransomware spreads.
Learn more about Ransomware ContainmentControl for IT Networks
Path governance across distributed IT estates.
Learn more about Control for IT NetworksInsider Threat
Limit blast radius from compromised internal accounts.
Learn more about Insider ThreatControl for Banking
Adjacent payments-grade segmentation pattern.
Learn more about Control for BankingOSS for Retail
Offline secure storage for customer and payment records.
Learn more about OSS for RetailQuestions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.