Testimonials Blog Case Studies About Remote Support Client Resources
Networking · Case Study · June 12, 2026

Three Wi-Fi Networks, One Flat Backend: The Segmentation That Wasn't

A regional retail chain we support had three separate Wi-Fi networks at every location - one for staff, one for guests, one for point-of-sale. On paper, that looked like proper segmentation. Underneath, every one of those networks landed in the exact same place.

This client operates a multi-location retail business, and like a lot of growing retailers, its network had been built location by location as the business expanded - each new site copying whatever the last one had, without much scrutiny of whether the underlying setup was actually sound. On the surface, their Wi-Fi setup looked like it was doing the right thing: three separate SSIDs at every store, clearly named "Staff," "Guest," and "POS," giving the appearance of a business that had thought through its network segmentation.

What we found during the assessment

During a network assessment across the client's locations, we went past the SSID names and looked at what each network actually had access to on the backend. That's where the real picture emerged: all three SSIDs - staff, guest, and POS - were bridged onto the same flat network. Different names, different passwords, same underlying permissions. A device connected to "Guest" Wi-Fi could reach the same segment of the network as a device connected to "POS." The separation was cosmetic - three doors leading into the same room.

Why this is a real PCI and security risk

This is the same failure class we flag as one of the most common and most dangerous gaps in retail networks: unsegmented Wi-Fi. When a guest network can reach the same backend as point-of-sale traffic, a compromise doesn't need to start at the register - it just needs to start somewhere on the "safe-looking" guest network. A guest's infected laptop, a rogue device, or a simple password leak on the guest network could, in principle, reach systems processing payment card data. For a retailer handling card transactions across multiple locations, that's not a theoretical risk - it's exactly the kind of finding that fails a PCI review and exactly the kind of exposure that leads to a real breach.

How we fixed it

The fix wasn't renaming networks or adding more passwords - it was building real segmentation at the network layer. We implemented VLAN-based segmentation at every location, so each SSID - staff, guest, and POS - now terminates on its own isolated VLAN with firewall rules controlling exactly what, if anything, can cross between them. Guest traffic is fully isolated from the rest of the network. Staff devices reach only what staff need. POS traffic sits on its own segment with tightly controlled access, consistent with the segmentation approach we build into every POS deployment we support.

We rolled this out consistently across every location using the same VLAN structure and firewall policy, so the fix isn't a one-off patch at a single store - it's now the standard configuration for the whole chain, and it's the same standard we apply to any new location the client opens.

The lesson for any multi-location business

A separate SSID name is not the same thing as a separate network. The only way to know whether your Wi-Fi networks are actually isolated from each other is to check what's happening beneath the SSID - the VLANs, the firewall rules, the actual traffic paths - not just what the network is called on a device's Wi-Fi list. It's a detail that's invisible day to day and only shows up when something goes wrong, which is exactly why it belongs in a proper network assessment rather than something assumed to be fine.

Related

Services behind this project.

Not sure your guest Wi-Fi is actually isolated?

Get a free IT assessment.

We'll take a look at your current network segmentation across every location and tell you honestly whether it would hold up.

More case studies