PCI DSS requires organizations to establish and maintain a secure network with a secure configuration of firewalls and routers. By taking advantage of network security controls, organizations can prevent criminals from accessing payment system networks and stealing cardholder data.
The development and maintenance of network documentation are covered by PCI DSS Requirements 1.1.2 and 1.1.3. Basically, network documentation consists of a network diagram and data flow diagram.
Some of the diagrams’ requirements include the creation of network infrastructure and data flow diagrams for the Cardholder Data Environment (CDE). Correct documentation assures both your company and your QSA that your network is set up securely.
PCI DSS Requirement 1.1.2 states that organizations must have an existing network diagram that defines all connections between the Cardholder Data Environment (CDE) and other networks, including all wireless networks.
PCI DSS Requirement 1.1.3 requires organizations to have an up-to-date diagram showing all cardholder data flows between systems and networks.
Network documentation is essential for network maintenance, security design, and incident response tasks. Network documentation will always be essential for your institution. Network diagrams help define and visualize the entire PCI DSS scope or CDE.
Your network documentation should include the following:
- Methods used to control traffic inside and outside your network
- Where your firewalls are located
- Where your routers and switches are located
- Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS)
- Demilitarized Zone (DMZ)
- Wireless Networks
- Remote access points
- Operating systems
- Email servers
- DNS server
The first step in PCI compliance is to make sure you meet the minimum requirements described below. With the tips below, you can streamline the process of creating professional diagrams and networking documentation that meet PCI compliance and help manage your network through the exchange.
Create a formal testing process and attach it to the network document.
A systematic testing procedure for any firewall and router settings changes should be included in network documentation and information security policy. One way to test for changes in the firewall configuration is to perform a detailed port scan of the hosts protected by the firewall. Another way to test changes to the router configuration is to use the ping and traceroute commands common to most network-enabled operating systems.
Create your updated network diagram and attach it to the network document.
The network documentation should include an up-to-date network diagram showing all network connections to cardholder data. You must specify all network devices in the PCI DSS scope, especially the components that store, transmit, and store cardholder data in your network diagram.
The network diagram should also consider all entities in your environment, or at least asset types. You need to specify exactly where your assets are, how they access media and define the methods and tools you use to control traffic.
As part of the network documentation, you need to indicate where your firewalls and routers are located, whether you have wireless devices. Whether they are covered or not, if wireless devices are in your environment, they should be shown in the network diagram.
If you are being evaluated against PCI standards, you must have a firewall between your cardholder data environment and your wireless access points.
Your network diagram should also show where your IPS / IDS is located. Evaluators need to see that they are positioned in front of your network and other areas in your environment that you can identify to be critical.
Once all relevant network devices are paired, draw the network connections between them, including wireless connections, and make connections between external networks such as the Internet. Ensure you keep the network diagram up to date and delegate responsibility for maintaining network documentation to qualified personnel.
The aim of data flow and network diagrams is to help your company and employees understand where these assets should be completely protected. You’re probably not defending your properties properly if you don’t know where they are.
Create your cardholder data flow diagram and attach it to your network document.
Determine where cardholder data is stored on your network and how it flows across the network. Make a copy of the network diagram and add the necessary information to explain cardholder data flow.
The purpose of having data flowcharts is for your organization to understand precisely where sensitive assets such as cardholder data are located across your entire network. If you are not aware of where your assets are currently located, you are probably not properly protecting them.
Keeping updated network documents, such as network diagrams and data flow charts, can prevent your organization from unknowingly overlooking cardholder data that is left outside security controls and is open to unauthorized access.
Using diagramming programs for network documentation will significantly simplify the process. This way, you get professional templates representing a wide variety of network components, which reduces the overall time required to create an accurate and professional-looking network diagram. Also, diagramming programs make it easy to keep your documents up to date because you add lines or segments for every new component you add to your network.
Choosing the right diagram solution can help you collaborate more effectively with others and manage your network documents’ storage and version control in a secure, accessible way.
The platform you choose should include access rights and revision history so you can limit access to authoritative documents, see who changed what, access previous diagrams to fix errors, and get a historical view of the system.
Add a firewall requirement for every Internet connection and DMZ.
Network documentation must require a firewall on every Internet connection and between any DMZ and the internal network. “A firewall must be placed on any Internet connection and between every DMZ and the internal network,” a paragraph in the network documentation may be added to satisfy this requirement. Start by installing firewalls on every Internet connection and between each DMZ and the internal network.
Include descriptions of groups, roles, and responsibilities.
Network documents should contain descriptions of network management roles and responsibilities. Identify network management roles such as network administrators, system administrators, and information security officers. Assign responsibilities to each network management role and document related responsibilities.
In small companies, only one person will be responsible for keeping a particular piece of document current and accurate. But in large companies, multiple people are often concerned with maintaining network infrastructure, handling card data, and completing other tasks that affect your PCI compliance. As a result, numerous versions of the same documents are found in emails, network shares, and separate machines, making it challenging to find the latest and most complete document.
Maintain a single up-to-date resource with permission-based controls for viewing, commenting, and editing so you can easily share documents while collecting entries and making changes to your infrastructure.
Describe all required protocols for the job in the network document.
It can help define the required protocols, define the network applications used by the business, and include the relevant protocols and ports used by the applications. A scanning tool quickly reveals the specific ports and protocols used by most network applications. If custom port settings are used, which is good practice to prevent automated attacks, custom port settings should be documented.
Identify unsecure protocols and explain why they are needed.
Network documentation should include a list of all unsecured network protocols and explanations for why each is required for business operations. Some common Internet protocols such as FTP that send authentication information in plain text have proven unsafe. Some email protocols may also send authentication information in clear text, often overlooked because email is an integral part of many business environments.
Verify that any unsafe service is required and cannot be easily replaced with a secure version, for example, by replacing telnet with SSH. If possible, add security measures to every unsafe service using technologies such as VPN, whitelists, or application-specific extensions. Ensure you thoroughly document each insecure service, including the nature of the vulnerability and the mitigation measures applied.
Extract a list of outbound connections from the cardholder data environment to the Internet and specify local and remote hosts/ports for each connection.
Document the firewall ruleset.
Firewalls should inherently block all traffic that is not required for business operations. The network documentation should include descriptions of the restrictions imposed by each firewall. It should also be documented that “deny” or “deny all” rules are included in the set.
Include a requirement to review firewall and router configurations at least every six months.
Network documentation should include the requirement to review firewall and router configurations at least every six months. Delegate the responsibility of reviewing the router and firewall configurations to qualified personnel to ensure that the review was done.
When your organization makes a change in your network environment, you must also update the network documentation. Basically, the sources of network documents are the data flow diagram and network diagram. Therefore, if you are going to change your network environment, you need to make sure that you keep these documents appropriately up to date.
Network documentation is up-to-date doesn’t just mean changing their date. When assessors come to your environment, they should look through the documentation and see that the data is up to date, and then they will compare the diagrams with your environment.
However, you should understand that just because you changed the dates does not mean that the network diagram is up to date. Ideally, updates should correctly display network documentation in your change management.
After you create your network documents, review and update your diagrams as changes are made to ensure that your document reflects your current network and business processes accurately.
The review will inform you of potential network vulnerabilities and provide the necessary documented information your auditor will need to verify your following assessment’s PCI compliance.