Retail Network Segmentation Model

Retail store networks are a particularly challenging segmentation problem. A single store location might have point-of-sale terminals processing card transactions, guest Wi-Fi for customers, security cameras and IoT door sensors, back-office workstations, and staff mobile devices — all potentially on the same physical infrastructure. PCI-DSS requirements mandate that cardholder data environments are isolated from other traffic. Getting that wrong is both a regulatory failure and a breach risk.

The segmentation model uses VLAN isolation as the foundational control, with 802.1X port authentication on wired endpoints in high-risk zones. The VLAN structure is standardised across all 800+ sites: POS traffic never touches the same broadcast domain as guest Wi-Fi, and IoT devices have no route to anything they shouldn't reach. Cisco Meraki's centralised management model makes template-based policy push practical at that scale — you define the policy once and push to all sites rather than configuring each store independently.

SD-WAN with dual-ISP failover means store connectivity is resilient: a single ISP failure doesn't take POS offline, which would be a direct revenue impact. QoS policy prioritises POS traffic on the WAN links to ensure card transaction latency stays within payment network thresholds even during periods of high bandwidth use. Umbrella DNS filtering at store egress catches malware callbacks and blocks access to categories of sites that create risk — ransomware operators frequently use DNS as an early-stage C2 channel.