Technology
PCI 4.0 for restaurants — a no-jargon checklist
PCI 4.0 is now the active standard. The operator-friendly checklist of what's required, what changed, and how to stay compliant without the spreadsheet panic.
PCI 4.0 is now the active standard. If your QSA mentioned 'segmented network' three times in the last meeting, here's why. The new standard is more demanding on three fronts that matter for restaurants: network segmentation, authentication, and continuous evidence.
1. Network segmentation is now mandatory in spirit
Cardholder data has to be on a network segment isolated from anything else. The 'flat network' that runs your back-office laptop and your card terminal on the same VLAN is not compliant under 4.0, and is much harder to argue your way through with a QSA.
2. Authentication tightens
Multi-factor authentication is now required for all access to systems handling cardholder data, including remote access by your IT vendor. If your IT firm logs into your POS via a username and password, that's a finding.
3. Evidence is continuous, not annual
Quarterly external scans, continuous monitoring of segmentation controls, and documented patching cadence — these aren't 'we'll catch up before the audit.' They're 'we already had this in place when something broke.'
Operator checklist
- 01Confirm your POS and payment terminal are on a separate VLAN from everything else
- 02Confirm MFA is required for any administrator login, including your IT firm's
- 03Confirm patches to network gear are applied within 30 days of release, with logs
- 04Schedule quarterly external scans through an Approved Scanning Vendor
- 05File your annual SAQ with the actual scope you operate, not a wishful version of it