PCI DSS Network and Data Flow Diagrams

July 13, 2021

15255

Table of Contents show

When looking at the critical success criteria for PCI DSS compliance, it is vital to scope the cardholder data environment (CDE) accurately.

High-level and detailed network diagrams and data flow diagrams are mandatory PCI DSS requirements and are essential components of any successful PCI Compliance Report (RoC). Network diagrams and credit card data flowcharts must meet the criteria for PCI compliance.

It should be noted that it takes time and effort to create and produce diagrams that add value to your organization. In our article, you can find some guidelines to help you create PCI compliant and functional diagrams for PCI DSS.

High-Level PCI Network Diagrams

The High-Level Network Diagram is not part of a PCI requirement but is a separate diagram required within a PCI RoC executive summary. The Detailed Network Diagram, also required in the PCI RoC executive summary, depends on the evaluation steps for PCI requirements 1.1.2, 1.1.4, 6.4.6, and 11.4.

The most crucial thing to keep in mind is that a faulty schematic could render these controls incompatible.

While the name doesn’t imply its importance, High-Level Network Diagram demands a great deal of precise detail.

As PCI dictates, you must provide a high-level network diagram of your organization’s network topography, showing the overall architecture of the environment under consideration. This high-level diagram should outline all locations and switch systems and the boundaries between them and should include:

Specify connections to and from the network, including the cardholder data environment (CDE) and boundary points between other networks/regions.
Include critical components in the cardholder data environment, including POS devices, systems, databases, and web servers.
Include other required payment components, if any.

The inclusion of critical systems, POS devices, systems, databases, web servers, and other payment components are items that would typically be expected in a more elaborate scheme.

To ensure PCI Compliance, the High-Level Network Scheme must do the following:

Must represent all physical locations.
PCI should show in- and out-of-scope segments.
It should show all inbound and outbound connections to the CDE and protections for cardholder data (CHD).
It should show the segmentation within the CDE, including the devices providing the segmentation.
All segments should be labeled so that their differences can be understood.
Wireless network segments should be indicated with appropriate symbols.
Representative symbols and labels should be specified for all security devices related to PCI DSS requirements, any system in the payment flow, and other critical systems serving the CDE.
Virtualization technologies and hypervisors should be defined.
Management hosts and existing virtual/guest systems must be specified separately.
Explain colors/shading/icons using a key within the diagram.

However, the Detailed Network Diagram is representative of a less granular overview.

Detailed PCI Network Diagrams

You must provide detailed diagrams to illustrate each communication and port between coverage networks and environments. Detailed Network Diagrams should include:

Must specify all limits of the cardholder data environment.
It should include any network partitioning points used to reduce the scope of the assessment.
It should specify the boundaries between trusted and untrusted networks.
It should include wireless and wired networks.
It should show all other ports valid for evaluation.

Ensure the network diagrams contain enough detail to understand how each communication point works and is secure clearly. Required detail includes partitioning, network connections, and communication points, which are generally considered high-level requirements and do not require the level of granularity most people expect or anticipate.

To ensure PCI Compliance, the Detailed Network Diagram needs to:

Demonstrate the CDE against non-CDEs.
All links to the CDE from non-CDE domains should be shown.
All wireless devices, both inside and outside the CDE, should be displayed.
All links to third parties, card brands, and other business units should be shown.
All physical locations covered by PCI should be shown.
All protections in the transmitted CHD must be specified for connections to and from the CDE.
All segments must be labeled, and this labeling must be consistent across all diagrams.
Explain colors/shading/icons using a key within the diagram.
The date the diagram was produced and updated should be specified.

PCI Data Flow Diagrams

The Data Flow Chart required in the PCI RoC executive summary is based on the reporting instructions from PCI DSS requirement 1.1.3.

Data Flow Diagrams should be closely linked to data flow narratives to provide a holistic view of the CDE, showing the incoming, internal, and outgoing flows of the CHD. A data flow diagram should include all payment channels and processes through which CHD is processed.

Managed service providers (MSPs) or other organizations that do not store, process, or transmit CHD are expected to detail flows regardless of the process or service being evaluated in PCI RoC.

To ensure PCI Compliance, Data Flow Charts must:

It should describe any storage, processing, or transmission of CHD.
Locations must be consistent with network diagrams in terms of CDE boundaries, devices, and data protections.
It should detail all payment channels, transaction flows, or any other CHD flows involved in the PCI RoC:
- Streams corresponding to Capture, Authorization, Payment, and Chargeback should be specified.
- Other CHD streams applicable to the media under consideration should be included.
- Organizations that do not process CHD must demonstrate any process under PCI.
All payment applications must be displayed.
All storage locations that apply to stored data must be specified.
For communication over open, public networks, or untrusted networks, the protections on the CHD or communication channel must be specified.
All wireless segments and their associated shields must be specified in the CHD.
The date the diagram was produced and updated should be specified.
The date the diagram was produced and updated should be specified.

It will be time to take extra care while creating a network and data flow diagrams for PCI DSS. It will help relieve unnecessary stress when you and your staff may be facing proof requests and time of expenditures adjusting/improving the CDE to be compatible with other PCI.

Why Are Network and Data Flow Diagrams Required for PCI DSS?

It’s not uncommon for businesses to overlook the importance of creating practical network diagrams. The network diagrams for your firm are an essential part of your PCI compliance procedure and should not be disregarded.

Per the PCI DSS 1.1.2 requirement, your company must have an up-to-date network diagram that describes all connections between the cardholder data environment and other networks, including wireless networks. For the PCI DSS 1.1.3 requirement, you must have an up-to-date diagram showing how all cardholder data flows between systems and networks.

Network and data flow diagrams are essential for two reasons:

They’re designed to help your team better understand your company’s PCI compliance coverage by displaying the main components of your cardholder data environment (CDE) and how cardholder data flows through it.
They also help your evaluator understand where cardholder data is stored, processed, and transmitted to verify whether you have correctly identified your CDE.

We tend to look at PCI DSS requirements only to prove compliance, but PCI DSS requirements are also available to assist us. Network diagrams ensure that your team and your evaluator are clear about what is and is not covered.

Your compliance team is responsible for understanding where the CDE systems are in the corporate network environment and how cardholder data moves across it. The purpose of your network diagrams is to synthesize this information into an easy-to-understand representation of your CDE.

A sloppy or inadequate network diagram can indicate that your staff isn’t entirely aware of their surroundings. This gap is often a sure sign for an evaluator to look for potentially more profound issues.

How to Create Network and Data Flow Diagrams for PCI DSS

Several diagrams or a single network and data flow chart may be required depending on the complexity of your network and operations.

The network diagram shows how networks and system components that do not store, process, or transmit cardholder data are divided and where cardholder data is kept, processed, or communicated.

PCI requirements specifically mention wireless networks. Poorly configured or maintained wireless access points are a security risk. In the network diagram, all wireless networks must show how they are connected to or segregated from the cardholder data environment.

Larger organizations with complicated networks or businesses with different acceptance channels may want to consider putting together various diagrams.

For an exemplary network diagram, you need to know what devices you have and where they are located. The first place to start is to keep an inventory of all your devices, physical locations, and functions. The list should include routers, servers, switches, firewalls, VPN concentrators, SSH modems, virtual devices, and any components included in your PCI scope.

Diagrams should include all connections and all flow of cardholder data. Many companies have been breached because they do not consider the components connected to their networks and therefore do not have appropriate security controls.

This includes systems and processes that may not be directly related to cardholder data, such as environmental control systems or third-party solutions used to support your cardholder data environment.

To gain a complete picture of your network connections and cardholder data streams, follow these steps:

Keep an inventory of all your devices, physical locations, and functions.
Keep an inventory of all applications in use, including applications used to protect and monitor your systems.
Keep a list of vendors with whom you’ve exchanged cardholder data or which could compromise your cardholder data’s security. The list should also include the role the merchant plays in your cardholder data environment.
Understand how cardholder data enters your network, travels through your network, stored on your network, how it leaves your network, and where and with whom this cardholder data is shared. When you ask operations employees about “how they do things,” you’ll learn about systems and applications you hadn’t considered. A few questions to ask are:
- How to receive data (phone, mail, email)?
- How to enter (automatic, manual keyed)?
- Is the application hosted internally or by third parties?
- How and what data is transferred?

Using the information above:

Map the physical locations of the devices.
Show how devices are connected.
Show any VLAN or other segmentation.
Show how data goes through your network by connecting cardholder data entry points and exit points.
Fill in the blanks with information like IP addresses, ports and protocols, encryption methods, and algorithms.
Specify where cardholder data is transmitted and stored.
Include wireless devices and networks.
Specify the date it was last updated and revised.

Recommendations for Creating PCI DSS Network and Data Flow Diagrams

PCI DSS 1.1.2 and 1.1.3 requirements require you to create and keep the up-to-date network and data flow diagrams for your organization. While creating diagrams can be tedious and time-consuming, you understand the importance of network documentation when you consult it in case of a problem.

Proper network documentation leads to determining the correct PCI coverage for your company and QSA and ensuring that your network is securely set up.

1. Use a program to streamline the network diagram creation process

Creating network documents can be a tedious and challenging process. Finding a program that takes at least some of these hassles will make your job a lot easier. Solutions like Lucidchart or Visio can significantly simplify the diagramming process.

Custom shape libraries have been produced for various networks, including Cisco, Amazon Web Services, Microsoft Azure, Google Cloud Platform, and generic network infrastructure, using diagramming software.

Professional templates reflect a wide variety of network components, decreasing the overall time required to generate an accurate and professional-looking network diagram.

Also, templates make it easy to keep your documents up to date as you add new components or segments to your network.

2. Network and Data Flow Diagrams Should Be Simple and Easy to Understand.

Due to information overload, it cannot be easy to distinguish between in-scope and out-of-scope components or monitor cardholder data flow through the media when network diagrams go into too much detail about the network segment and connection elements.

An information technology professional or someone unfamiliar with the network environment should understand PCI network diagrams. The systems, network segments, and credit card data streams that make up your CDE should be easily identifiable by anyone new.

Elements of a simple network diagram include:

Included and non-scoped components should be displayed. Color coding is very effective for this.
A minimal structure with only the necessary details should be created. Start simple and only add as much detail as required to represent the critical components of the CDE.
Remember to include a simple key that describes symbols, data flow paths, and color-coding.

While it is essential to provide a complete picture of your CDE, it is equally important not to clutter information with unnecessary, distracting details.

3. It should clearly show your CDE and the flow of cardholder data.

Your team should use symbols, images, and color-coding to show your CDE and how data flows through it. It is beneficial to use appropriate symbols for system types or system groups and boxes or shading around network segments and physical locations.

While SRV1 may make a lot of sense to you, it may not be so for unfamiliar readers. Add a key to your diagram so others can easily decipher symbols and color-coding. Also, use short descriptions of these items in addition to or instead of system or network names.

The common problem is that network diagrams show where systems are and how they are connected but fail to show how cardholder data move across the environment. It is necessary to show precisely where cardholder data enters the corporate environment, how it travels between your critical systems and networks, where it is stored, and where it exists for processing.

All critical systems involved in storing, processing, or transmitting cardholder data should be listed in your schema, along with a clear understanding of where they are located.

By PCI Requirement 2.4, your organization must maintain an inventory of in-scope system components. This inventory will play an essential role in identifying critical systems that will be represented in your diagram.

4. Don’t Neglect Versioning Your Diagrams

In most cases, only one individual is in charge of keeping the network and data flow charts current and accurate. However, multiple people often take care of maintaining the network infrastructure, processing card data, and completing other tasks that affect your PCI compliance.

As a result, multiple and conflicting versions of the same documents are commonly found in emails, network shares, and individual machines, making it challenging to obtain the most recent and complete document.

Provide a single source of truth with permission-based controls for viewing, commenting, and editing so you can easily share documents as you gather input and make changes to your infrastructure.

It’s also helpful to add version and permission-based controls to your document, as more than one person, is likely to contribute network and data flow diagrams. This step ensures that different versions of your diagram are consistent. To show your assessor that your diagrams are up to date, your team will need to document the date of each update.

PCI compliance is more than an annual assessment. Compatibility requires a well-rounded understanding of your team’s CDE and adapting as changes are made. An up-to-date diagram clearly shows your evaluator that your company actively monitors your CDE to meet your PCI compliance goals.

5. Review and update network and data flow documentation quarterly or after any infrastructure change

Businesses are constantly evolving, scaling, and trying to be more efficient. These activities frequently overlap with how companies establish their networks and the many methods they employ to accept, process, and store credit cards.

After creating your initial network documents, review and update your diagrams as changes are made to ensure your document reflects an accurate representation of your current network and business processes.

Continually updated diagrams indicate adequate oversight for compliance and that the team is aware of changes. When changes are made to your CDE, make sure your team changes the network schema to reflect those changes.

To keep your network diagrams up to date, you should evaluate them regularly. Don’t wait until your yearly assessment to determine how the environment evolved last year and how these changes have affected your PCI compliance scope.

The best way to keep your diagrams up to date is to add a step to your change control process and ask the following after each change:

Do I need to make any changes to the network diagram?
Do I need to make any changes to the data flow chart?

You should review your diagrams at least every six months and after significant changes to your systems. PCI DSS does not specify the frequency of reviews, but scheduling semiannual inspections is a good start.

This app will keep you aware of potential network vulnerabilities and provide the necessary documented information your auditor will need to verify your PCI compliance during your following assessment.