I've read that PCI DSS 3.0 introduces new requirements for network diagrams showing connections to card data. My...
organization has such a diagram, but it's more than a few years old. What steps do we need to take to update it to comply with PCI 3.0?
It's true that the requirements around network diagrams have changed with the release of PCI DSS 3.0. Before taking specific steps, take a look at your compliance process and consider the review period for the PCI DSS compliance documentation. If the diagram is a few years old, it's probably out of date.
I strongly recommend that you institute an annual review/update process that puts document reviews on autopilot. Remember, PCI DSS compliance is not a once-a-year activity. It's important to maintain a "current network diagram" year-round. The diagram should include all connections between devices processing cardholder data and other networks, with particular attention paid to wireless networks.
There are two PCI DSS requirements that involve network diagrams. The first, requirement 1.1.2, has only changed slightly. It now requires the maintenance of a "current network diagram that identifies all networks, network devices, and system components, with all connections between the CDE and other networks, including any wireless networks." The italicized section was added with the release of PCI DSS 3.0. So, at a minimum, review your network diagram to make sure that it meets the requirements of the clarified rule by including relevant networks, network devices and system components. It must also show any connections between the cardholder network and other networks. Chances are, if you've been maintaining a decent network diagram, the bulk of this work is already done.
The second requirement, requirement 1.1.3, is new with PCI DSS 3.0. It mandates the maintenance of a "current diagram that shows all cardholder data flows across systems and networks." This requirement asks for a current business process diagram that overlays the network diagram. It should clearly demonstrate where cardholder data is stored and transmitted and how different system components interact with that data.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Want a quick and dirty rundown of PCI DSS requirements? Here's a fast guide.
One of our experts breaks down complying with specific PCI DSS requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.