Gunnar Assmy - Fotolia

Manage Learn to apply best practices and optimize your operations.

Updating network diagrams for PCI DSS 3.0 compliance

Compliance with the PCI DSS 3.0 requirements means enterprises need to update their network diagrams. Mike Chapple outlines how to make these changes.

I've read that PCI DSS 3.0 introduces new requirements for network diagrams showing connections to card data. My...

organization has such a diagram, but it's more than a few years old. What steps do we need to take to update it to comply with PCI 3.0?

It's true that the requirements around network diagrams have changed with the release of PCI DSS 3.0. Before taking specific steps, take a look at your compliance process and consider the review period for the PCI DSS compliance documentation. If the diagram is a few years old, it's probably out of date.

I strongly recommend that you institute an annual review/update process that puts document reviews on autopilot. Remember, PCI DSS compliance is not a once-a-year activity. It's important to maintain a "current network diagram" year-round. The diagram should include all connections between devices processing cardholder data and other networks, with particular attention paid to wireless networks.

There are two PCI DSS requirements that involve network diagrams. The first, requirement 1.1.2, has only changed slightly. It now requires the maintenance of a "current network diagram that identifies all networks, network devices, and system components, with all connections between the CDE and other networks, including any wireless networks." The italicized section was added with the release of PCI DSS 3.0. So, at a minimum, review your network diagram to make sure that it meets the requirements of the clarified rule by including relevant networks, network devices and system components. It must also show any connections between the cardholder network and other networks. Chances are, if you've been maintaining a decent network diagram, the bulk of this work is already done.

The second requirement, requirement 1.1.3, is new with PCI DSS 3.0. It mandates the maintenance of a "current diagram that shows all cardholder data flows across systems and networks." This requirement asks for a current business process diagram that overlays the network diagram. It should clearly demonstrate where cardholder data is stored and transmitted and how different system components interact with that data.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Want a quick and dirty rundown of PCI DSS requirements? Here's a fast guide.

One of our experts breaks down complying with specific PCI DSS requirements.

This was last published in August 2014

Dig Deeper on PCI Data Security Standard