Skip to content
FREEZE FRAME SOLUTIONS

Blog · April 15, 2026

The single network mistake we find on almost every Anchorage coffee shop

Almost every coffee shop and restaurant we audit in Anchorage has the same network configuration error. It's a PCI compliance problem and a security problem, and it's been baked into the wiring since day one.

By Orion Grimm

I have audited the networks of more Anchorage coffee shops and restaurants than I can count at this point. The same configuration mistake shows up in almost every one of them. It is not exotic. It is not the result of incompetence. It is the result of how networks accumulate when nobody designs them, and it is the single most common security and compliance issue in Alaska’s small food and beverage scene.

Here is the mistake: the customer guest WiFi, the POS terminals, and the back-office computers are all on the same flat network.

That single sentence may not sound like a problem. Let me explain why it is.

Why a flat network is bad for a coffee shop

When everything is on the same network, every device can talk to every other device. The customer with the compromised laptop sitting at the counter has a network path to the POS terminal taking card payments. The phone with the misbehaving app on the guest WiFi can scan the back-office computer that holds your QuickBooks file. The Internet of Things device you bought last year (the smart thermostat, the security camera, the music streamer) sits on the same subnet as your payment terminals.

This is not a hypothetical. Most modern attacks against small retail and food businesses don’t start with the POS itself. They start with a peripheral, or a guest device, or a misconfigured smart device. Once an attacker is on the network, the flat topology lets them move sideways into the systems that actually matter.

It is also a PCI compliance problem. PCI-DSS specifically requires that systems handling cardholder data be segmented from systems that do not, and that the segmentation be enforced with firewall rules, not just policy. A flat network does not pass that test. If your processor or your insurer ever asks, the answer is “we are not segmented” and you are in the bad position of explaining why.

How the mistake happens

Nobody designed it this way on purpose. Here is the pattern I see, repeatedly:

  1. The shop opens. The owner buys a consumer router from Best Buy or accepts whatever the ISP shipped. It plugs into the wall and produces WiFi. Done.
  2. The POS gets installed. The Toast or Square installer plugs the terminal into the same router. It works.
  3. The back-office computer gets set up. It connects to the same WiFi. It works.
  4. The first guest WiFi requests come in. The owner enables the guest network feature on the router, but the guest network is on the same subnet (or, on cheaper routers, just the same WiFi entirely with a different SSID).
  5. Five years pass. Nobody touches it. It works. Nobody asks whether it is configured correctly.

That last step is the trap. It works. The shop runs. Cards swipe. Food goes out. There is no visible problem. Right up until there is.

What the right configuration looks like

The fix is not exotic. It is not expensive. It just has to be designed instead of grown.

A properly designed coffee shop or restaurant network has at least four separate VLANs (virtual networks running on the same physical wiring):

  1. POS VLAN. Just the payment terminals and the kitchen display systems. Firewall rules restrict outbound traffic to the POS vendor’s cloud only. Nothing else can talk to it.
  2. Back-office VLAN. Office computers, the shared file storage, the printer. Firewall rules block any inbound traffic from the other VLANs.
  3. Guest WiFi VLAN. Customer devices. Internet access only, completely isolated from everything else.
  4. IoT / device VLAN. Smart thermostats, security cameras, music streamers. Internet access only, isolated.

The hardware to do this is not expensive. A UniFi Dream Machine Pro or SE can run all four VLANs natively. A handful of UniFi access points can broadcast the right VLAN per SSID. The total cost for a single-location shop is usually a few thousand dollars in equipment, installed in a day, and then operated indefinitely.

The cost of not doing it is less visible right up until something goes wrong.

What you can check today

If you run a coffee shop or restaurant in Anchorage and you want a quick gut check on whether your network is segmented, here are three things you can verify:

  1. Connect a personal phone to the customer guest WiFi. Then try to ping the IP address of your POS terminal. If it works (or if your POS even responds in any way), you do not have segmentation.
  2. Check whether you can see your back-office computer’s shared folders from a guest device. If you can, you have a real problem.
  3. Look at the router or gateway your shop uses. If it is a single all-in-one box from your ISP, or a consumer-grade unit from Costco or Amazon, segmentation is almost certainly not configured.

This is one of the things the free 30-minute IT Health Check covers. We do not need credentials or deep access — we can spot a flat network in about five minutes by walking around and checking what talks to what. If your shop has the problem, we will tell you, and we will tell you what it costs to fix. Whether you hire us or not, you will leave knowing.