I've read that PCI DSS 3.0 introduces new requirements for network diagrams showing connections to card data. My...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
organization has such a diagram, but it's more than a few years old. What steps do we need to take to update it to comply with PCI 3.0?
It's true that the requirements around network diagrams have changed with the release of PCI DSS 3.0. Before taking specific steps, take a look at your compliance process and consider the review period for the PCI DSS compliance documentation. If the diagram is a few years old, it's probably out of date.
I strongly recommend that you institute an annual review/update process that puts document reviews on autopilot. Remember, PCI DSS compliance is not a once-a-year activity. It's important to maintain a "current network diagram" year-round. The diagram should include all connections between devices processing cardholder data and other networks, with particular attention paid to wireless networks.
There are two PCI DSS requirements that involve network diagrams. The first, requirement 1.1.2, has only changed slightly. It now requires the maintenance of a "current network diagram that identifies all networks, network devices, and system components, with all connections between the CDE and other networks, including any wireless networks." The italicized section was added with the release of PCI DSS 3.0. So, at a minimum, review your network diagram to make sure that it meets the requirements of the clarified rule by including relevant networks, network devices and system components. It must also show any connections between the cardholder network and other networks. Chances are, if you've been maintaining a decent network diagram, the bulk of this work is already done.
The second requirement, requirement 1.1.3, is new with PCI DSS 3.0. It mandates the maintenance of a "current diagram that shows all cardholder data flows across systems and networks." This requirement asks for a current business process diagram that overlays the network diagram. It should clearly demonstrate where cardholder data is stored and transmitted and how different system components interact with that data.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Want a quick and dirty rundown of PCI DSS requirements? Here's a fast guide.
One of our experts breaks down complying with specific PCI DSS requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Here are some important criteria for hiring a partner to review your information security program, with a focus on HIPAA and HITECH compliance.continue reading
New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.continue reading
HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.