I've read that PCI DSS 3.0 introduces new requirements for network diagrams showing connections to card data. My...
organization has such a diagram, but it's more than a few years old. What steps do we need to take to update it to comply with PCI 3.0?
It's true that the requirements around network diagrams have changed with the release of PCI DSS 3.0. Before taking specific steps, take a look at your compliance process and consider the review period for the PCI DSS compliance documentation. If the diagram is a few years old, it's probably out of date.
I strongly recommend that you institute an annual review/update process that puts document reviews on autopilot. Remember, PCI DSS compliance is not a once-a-year activity. It's important to maintain a "current network diagram" year-round. The diagram should include all connections between devices processing cardholder data and other networks, with particular attention paid to wireless networks.
There are two PCI DSS requirements that involve network diagrams. The first, requirement 1.1.2, has only changed slightly. It now requires the maintenance of a "current network diagram that identifies all networks, network devices, and system components, with all connections between the CDE and other networks, including any wireless networks." The italicized section was added with the release of PCI DSS 3.0. So, at a minimum, review your network diagram to make sure that it meets the requirements of the clarified rule by including relevant networks, network devices and system components. It must also show any connections between the cardholder network and other networks. Chances are, if you've been maintaining a decent network diagram, the bulk of this work is already done.
The second requirement, requirement 1.1.3, is new with PCI DSS 3.0. It mandates the maintenance of a "current diagram that shows all cardholder data flows across systems and networks." This requirement asks for a current business process diagram that overlays the network diagram. It should clearly demonstrate where cardholder data is stored and transmitted and how different system components interact with that data.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Want a quick and dirty rundown of PCI DSS requirements? Here's a fast guide.
One of our experts breaks down complying with specific PCI DSS requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.