POS Network Segmentation and Payment Path Control
Retail networks span thousands of locations, each processing payment card data through point-of-sale systems connected to corporate infrastructure. A single compromised store can provide a path to every other location in the estate.
Retail
When a guest Wi-Fi access point and a payment terminal share the same network, every customer browsing the internet is a potential path to payment card data.
100%
Payment network isolation from store IT
Zero
Persistent vendor paths to POS systems
4
Store network zones with independent governance
Full
PCI DSS 4.0 network segmentation evidence
Retail networks are distributed and high-value targets.
POS Compromise
Point-of-sale systems across thousands of locations create a massive attack surface for payment card data theft.
Flat Store Networks
Many retail locations share a single network for POS, back-office, CCTV, and guest Wi-Fi, enabling lateral movement from any entry point.
Supply Chain Risks
POS software vendors, payment processors, and maintenance contractors each create persistent pathways into the payment environment.
The Scenario
Scenario: Estate-Wide POS Compromise
Attackers compromise a POS software update server and distribute a modified update containing memory-scraping malware. The update propagates to 1,200 stores over a routine maintenance cycle. The malware captures payment card data from POS memory and exfiltrates it through the store internet connection, which shares the same network as the POS systems. Over eight weeks, 4.3 million payment card numbers are stolen. With Firevault Control, POS networks are physically separated from store internet connectivity. The malicious update cannot exfiltrate data because the POS network has no path to the internet. Software updates are delivered through controlled, authorised transfer windows with integrity verification.
"Our PCI assessor told us our segmentation was compliant. But it was VLAN-based. When the attackers compromised the switch management interface, every VLAN boundary in the estate became meaningless."
Physical payment path control across the retail estate.
Retailers gain physical control over payment paths at every location. POS networks are physically isolated from store internet and back-office systems. Software updates are delivered through controlled, verified channels. Estate-wide recovery from sophisticated attacks is guaranteed through air-gapped configuration archives.
- Physical POS network isolation at every store location
- Controlled, verified software update delivery
- Multi-party authorisation for payment system changes
- Cellular management independent of store WAN
- Continuous PCI DSS 4.0 compliance evidence
- Air-gapped recovery for rapid store restoration
Fracture, Emergency Store Isolation
Module 1 of 4Physically disconnects compromised store networks from corporate infrastructure and payment systems. When a breach is detected, Fracture severs the path within seconds to prevent estate-wide propagation.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign Payment Data
All payment system configurations and cardholder data paths remain within the agreed jurisdiction in secured Firevault Bunkers.
Multi-Party Update Control
POS software updates and configuration changes require sign-off from both IT operations and security teams before deployment.
PCI DSS 4.0 Evidence
Automated compliance logging generates continuous evidence for PCI DSS 4.0 network segmentation requirements across the entire estate.
Cellular Failover
Out-of-band management via cellular connectivity ensures control over store networks independent of primary WAN connections.
Estate-Wide Audit Trail
Every access, update, and authorisation across all locations is recorded in centralised, tamper-proof logs.
Rapid Store Recovery
Air-gapped POS configurations enable rapid restoration of compromised stores without relying on network-connected backup systems.
Demo to Live
Adoption Guide
Estate Network Assessment
Audit network architecture across representative store locations to identify payment path exposure and segmentation gaps.
Store Zone Architecture
Design standardised store network zones for POS, back-office, CCTV, and guest access with Control modules at each boundary.
Pilot Store Deployment
Deploy in a representative group of stores with full payment path isolation, controlled updates, and compliance logging.
Estate-Wide Rollout
Phased deployment across all locations with centralised management, air-gapped recovery, and continuous PCI DSS evidence generation.
Estate Network Assessment
Audit network architecture across representative store locations to identify payment path exposure and segmentation gaps.
Store Zone Architecture
Design standardised store network zones for POS, back-office, CCTV, and guest access with Control modules at each boundary.
Pilot Store Deployment
Deploy in a representative group of stores with full payment path isolation, controlled updates, and compliance logging.
Estate-Wide Rollout
Phased deployment across all locations with centralised management, air-gapped recovery, and continuous PCI DSS evidence generation.
Win Business, Earn Trust, and Build Reputation with Butterfly
Butterfly is an operational model that helps organisations structure sensitive data to close deals faster, strengthen client relationships, and demonstrate the governance maturity that wins enterprise contracts.
Built on the VPPP framework (Vault, Policy, Permissions, Purpose), Butterfly maps your sensitive data and assigns dedicated Vaults by role, relationship, and purpose, turning data stewardship into a competitive advantage.
Deal Readiness
Governed materials ready to share with confidence
Client Trust
Demonstrate stewardship that earns loyalty
Board Confidence
Clear governance that inspires stakeholders
Enterprise Scale
Structure data governance across your organisation
Who Uses Butterfly?
-
Sales Teams
Secure client proposals, pricing, and commercial intelligence
-
Service Providers
Exchange sensitive documents with clients through governed Vaults
-
Businesses
Protect strategic plans, IP, and competitive intelligence
-
Family Offices
Structure data governance across principals, staff, and advisors
Explore More
Supply Chain Threat
Disconnect third-party paths when not in active use.
Learn more about Supply Chain ThreatRansomware Containment
Sever the path before ransomware spreads.
Learn more about Ransomware ContainmentControl for IT Networks
Path governance across distributed IT estates.
Learn more about Control for IT NetworksInsider Threat
Limit blast radius from compromised internal accounts.
Learn more about Insider ThreatControl for Banking
Adjacent payments-grade segmentation pattern.
Learn more about Control for BankingOSS for Retail
Offline secure storage for customer and payment records.
Learn more about OSS for RetailQuestions
Frequently Asked
Ready to take the next step?
See how Control can govern your data paths with physical enforcement no software exploit can bypass.
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.