
PCI DSS v4.0 became the only permitted version of the Payment Card Industry Data Security Standard in March 2025. If your hotel’s network infrastructure touches payment card data — directly or through shared physical infrastructure — the new requirements apply to you.
One change in v4.0 has specific implications for guest WiFi: the requirement for per-device credential rotation and stronger logical separation between cardholder data environments and guest-accessible networks.
The old approach no longer satisfies the standard
Under PCI DSS v3.2.1, many hotels maintained compliance through VLAN segmentation — keeping payment processing systems on a separate logical network from guest WiFi. This remains required. But v4.0 goes further on credential management.
A single shared WPA2 passphrase across all guest devices creates a documented vulnerability: any guest who obtained or guessed the password in a previous stay retains a credential that still works. There is no automatic invalidation. There is no per-stay or per-device rotation. Under v4.0’s tightened requirements around network access control, this is no longer sufficient for networks that share physical infrastructure with payment systems.
What per-device credentials mean in practice
The requirement points toward unique, individually managed credentials per device or per user — what the WiFi industry calls iPSK (Identity Pre-Shared Key), or variants called MPSK, DPSK, or UPSK depending on the vendor.
With iPSK, each registered guest receives a unique personal passphrase. That passphrase is tied to their registration identity. When they check out — or when their stay expires — the credential is revoked. The next guest gets a completely new credential. There is no continuity of access between stays.
This satisfies the v4.0 requirement in several ways:
- Per-device isolation — each guest credential is cryptographically separate from every other guest’s credential on the same SSID
- Automatic revocation — credentials expire on check-out via PMS integration, with no manual process required
- Audit trail — every credential issuance and revocation is logged against a verified guest identity
The PMS connection matters
The revocation requirement is where many implementations fall short. Issuing unique credentials is straightforward. Ensuring they are revoked automatically and reliably at check-out requires integration with the property management system.
Wiacom’s WiFi Pass integrates with Oracle OPERA Cloud (OHIP), with a growing library of over 100 PMS systems supported. When a check-out event is received, the guest’s iPSK credential is revoked automatically — no front desk action, no manual credential management.
What hotels should do now
If your hotel is running a shared WPA2 passphrase for guest WiFi, and your network shares physical infrastructure with any payment processing system, you have a documented gap against PCI DSS v4.0.
The path forward involves three things: per-device credentials (iPSK), PMS-integrated automatic revocation, and documented audit trails for credential lifecycle. Wiacom’s WiFi Pass covers all three.
For hotels that haven’t yet assessed their v4.0 posture, the time to act is now — the standard is no longer transitional.
Wiacom WiFi Pass provisions unique iPSK credentials per guest, integrates with PMS for automatic check-out revocation, and works on Cisco Meraki, HPE Aruba, Ruckus, and other major WiFi vendors.

