I've read that PCI DSS 3.0 introduces new requirements for network diagrams showing connections to card data. My...
organization has such a diagram, but it's more than a few years old. What steps do we need to take to update it to comply with PCI 3.0?
It's true that the requirements around network diagrams have changed with the release of PCI DSS 3.0. Before taking specific steps, take a look at your compliance process and consider the review period for the PCI DSS compliance documentation. If the diagram is a few years old, it's probably out of date.
I strongly recommend that you institute an annual review/update process that puts document reviews on autopilot. Remember, PCI DSS compliance is not a once-a-year activity. It's important to maintain a "current network diagram" year-round. The diagram should include all connections between devices processing cardholder data and other networks, with particular attention paid to wireless networks.
There are two PCI DSS requirements that involve network diagrams. The first, requirement 1.1.2, has only changed slightly. It now requires the maintenance of a "current network diagram that identifies all networks, network devices, and system components, with all connections between the CDE and other networks, including any wireless networks." The italicized section was added with the release of PCI DSS 3.0. So, at a minimum, review your network diagram to make sure that it meets the requirements of the clarified rule by including relevant networks, network devices and system components. It must also show any connections between the cardholder network and other networks. Chances are, if you've been maintaining a decent network diagram, the bulk of this work is already done.
The second requirement, requirement 1.1.3, is new with PCI DSS 3.0. It mandates the maintenance of a "current diagram that shows all cardholder data flows across systems and networks." This requirement asks for a current business process diagram that overlays the network diagram. It should clearly demonstrate where cardholder data is stored and transmitted and how different system components interact with that data.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Want a quick and dirty rundown of PCI DSS requirements? Here's a fast guide.
One of our experts breaks down complying with specific PCI DSS requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading