{"id":192,"date":"2026-04-13T14:30:39","date_gmt":"2026-04-13T13:30:39","guid":{"rendered":"https:\/\/www.cardonet.co.uk\/insights\/?p=192"},"modified":"2026-04-13T14:30:46","modified_gmt":"2026-04-13T13:30:46","slug":"restaurant-pos-security-pci-dss-compliance","status":"publish","type":"post","link":"https:\/\/www.cardonet.co.uk\/insights\/restaurant-pos-security-pci-dss-compliance\/","title":{"rendered":"Restaurant POS security: stop breaches before Friday night service\u00a0"},"content":{"rendered":"\n

It\u2019s\u00a07:30pm on\u00a0a Friday. The dining room is\u00a0full,\u00a0your POS terminals are taking payment from card after card. But somewhere on your network, an attacker who joined your guest Wi\u2011Fi an hour ago is quietly harvesting customer and payment data.\u00a0<\/p>\n\n\n\n

In almost every breach we see, the root cause is the same: a flat network where guest Wi\u2011Fi, staff devices and payment systems all share the same infrastructure. <\/p>\n\n\n\n

In 2023, a\u00a0ransomware attack on Yum! Brands<\/a>\u00a0\u2013 parent of KFC and Pizza Hut \u2013 forced the temporary closure of hundreds of UK restaurants while systems were recovered.\u00a0<\/p>\n\n\n\n

The attackers didn\u2019t need exotic tools. They needed a foothold and a network that let them move freely once they were in. <\/p>\n\n\n\n

Why restaurants are such easy targets<\/strong> for cyber security breaches\u00a0<\/h2>\n\n\n\n

Restaurants process large volumes of card payments, stay open long hours, and often rely on lean IT support. High transaction volume, complex estates and limited specialist resources make them attractive targets for attackers who specialise in payment data. <\/p>\n\n\n\n

The UK Government\u2019s\u00a0Cyber Security Breaches Survey 2025<\/a>\u00a0reports that 43% of UK businesses experienced a cyber security breach or attack in the previous 12 months, which equates to\u00a0roughly 612,000\u00a0organisations.\u00a0That\u2019s\u00a0the backdrop your restaurant\u00a0operates\u00a0in.\u00a0<\/p>\n\n\n\n

In a typical site, POS terminals, back\u2011office systems, staff laptops, Wi\u2011Fi access points, kitchen screens and delivery tablets are plugged into the same logical network. If an attacker compromises any one of those through a phishing email to a manager, a weak remote access tool or a rogue device on guest Wi\u2011Fi, they can start probing sideways until they find something more valuable. <\/p>\n\n\n\n

If there is no segmentation, nothing stops that lateral movement. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The hidden cyber security flaw in most restaurant networks<\/strong>\u00a0<\/h2>\n\n\n\n

The single most common weakness we see in restaurant environments is not no MFA or out\u2011of\u2011date antivirus. It is a flat network where everything is on one segment and is able to talk to everything else. <\/p>\n\n\n\n

Picture a three\u2011site group. Guest Wi\u2011Fi is broadcast from the same access points that serve your POS terminals. There is no separation between front\u2011of\u2011house devices, payment systems and back\u2011office servers. A guest, or an attacker posing as one, joins the Wi\u2011Fi and starts scanning: the POS terminals appear, then the back\u2011office server responds and from there, it\u2019s a question of time and technique, not whether the environment is reachable. <\/p>\n\n\n\n

The restaurants I worry about most are the ones that have modernised aggressively with online ordering tablets, QR code menus, loyalty apps and multiple delivery aggregators all going onto the same flat network they\u2019ve always had. Every innovation quietly widens the blast radius of a single breach unless the underlying network design changes with it. <\/p>\n\n\n\n

The\u00a0National Cyber Security Centre\u2019s network security guidance<\/a>\u00a0has been clear for years: network separation and segmentation are core to limiting the impact of compromise and restricting lateral movement.\u00a0\u00a0<\/p>\n\n\n\n

The principle is simple \u2013 if one part of your environment is breached, it should not automatically give an attacker a route to everything else. In a restaurant, that means a mistake on guest Wi\u2011Fi should never be able to reach cardholder data. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

What PCI DSS v4.0 really means in practice<\/strong>\u00a0for your restaurant<\/h2>\n\n\n\n

PCI DSS v4.0 is now the live global standard for card payment security. It replaced v3.2.1 for assessments from 31 March 2024. <\/p>\n\n\n\n

If you accept card payments in your restaurant, you are in scope \u2013 whether you run one site or twenty. <\/p>\n\n\n\n

Three shifts matter most: <\/p>\n\n\n\n