Network diagram checklist for PCI DSS Compliance

Maintaining PCI DSS Compliance is a multi-team effort. And it starts with knowing what's in scope for assessment. Your network and cardholder data flow diagrams are the heart and soul of your continuous PCI DSS Compliance program.

Peggy Nolan, PCI-P, CISA, Founder, Payment Card Assessments

Wait. What? We need a network diagram?

If you thought documenting your in scope PCI DSS processes were tough, getting alignment on the network diagram is like pulling teeth.

Why? I’m glad you asked.

The more complex your network environment is, the more people you’ll have involved with the creation, approval, and maintenance of your network diagram.

Likewise, the more cardholder data flows you have, the more data flow diagrams you’ll need. 

Toss in the requirement for ownership, accountability, and responsibility of network and cardholder dataflow diagrams and you’ll have people pointing fingers at anyone else but themselves.

Let’s begin at the beginning and start with the PCI DSS requirement and testing procedures for maintaining a current and accurate network diagram.

Maintaining PCI DSS Compliance: Network Diagram Requirements

PCI DSS Requirement 1.2.3 

An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.

Testing Procedure:

1.2.3.a Examine diagram(s) and network configurations to verify that an accurate network diagram(s) exists in accordance with all elements specified in this requirement.

1.2.3.b Examine documentation and interview responsible personnel to verify that the network diagram(s) is accurate and updated when there are changes to the environment.

The Purpose of Requirement 1.2.3:

  • Maintaining an accurate and up-to-date network diagram(s) prevents network connections and devices from being overlooked and unknowingly left unsecured and vulnerable to compromise.
  • A properly maintained network diagram(s) helps an organization verify its PCI DSS scope by identifying systems connecting to and from the CDE.

Trust us. Keeping up with your network diagrams goes a long way when it comes to maintaining your PCI DSS Compliance.

But wait. Is there more?

What Needs To Be Included In Your Network Diagrams

The PCI DSS outlines what you need to include in your diagrams.

Keep in mind, your diagram must show ALL connections between your CDE and all other networks, including wireless.

Best practice: Get everyone connected to the network diagram on the same page for keeping it current and accurate!

You must identify the following:

  • All connections to and from all system components in the CDE, including
    • Systems providing security services
    • Systems providing management services
    • Systems providing maintenance services
  • The network diagram should also include the following:
    • All locations, including retail locations, datacenters, corporate locations, cloud providers,etc.
    • Clear labeling of all network segments
    • All security controls providing segmentation, including unique identifiers for each control (for example, name of control, make, model, and version).
    • All in-scope system components, including
      • NSCs
      • web app firewalls
      • anti-malware solutions
      • change management solutions
      • IDS/IPS
      • log aggregation systems
      • payment terminals
      • payment applications
      • HSMs, etc
  • Clear labeling of any out-of-scope areas on the diagram via a shaded box or other mechanism.
  • Date of last update, and names of people that made and approved the updates.
  • A legend or key to explain the diagram.
  • Diagrams should be updated by authorized personnel to ensure diagrams continue to provide an accurate description of the network.

Did you catch all those “all” statements?

Unfortunately, that word “all” gets overlooked all. the. time. (See what I did there?)

A current network diagram plays a vital role in your overall PCI DSS Compliance program. Not only is it REQUIRED but it’s also used in a number of requirements to validate that you’ve established the correct configurations for your network security controls. 

And by the way, having a network diagram is critical when it’s time to do your end-to-end scope assessments. 

Download Your Network Diagram Checklist Today

Need More Help With Identifying Your Scope For PCI DSS Compliance?

On Demand Workshop

{"type":"elementor","siteurl":"https://paymentcardassessments.com/wp-json/","elements":[{"id":"844173d","elType":"widget","isInner":false,"isLocked":false,"settings":{"image":{"url":"https://paymentcardassessments.com/wp-content/plugins/elementor/assets/images/placeholder.png","id":"","size":""},"image_size":"large","image_custom_dimension":{"width":"","height":""},"caption_source":"none","caption":"","link_to":"none","link":{"url":"","is_external":"","nofollow":"","custom_attributes":""},"open_lightbox":"default","align":"","align_tablet":"","align_mobile":"","width":{"unit":"%","size":"","sizes":[]},"width_tablet":{"unit":"%","size":"","sizes":[]},"width_mobile":{"unit":"%","size":"","sizes":[]},"space":{"unit":"%","size":"","sizes":[]},"space_tablet":{"unit":"%","size":"","sizes":[]},"space_mobile":{"unit":"%","size":"","sizes":[]},"height":{"unit":"px","size":"","sizes":[]},"height_tablet":{"unit":"px","size":"","sizes":[]},"height_mobile":{"unit":"px","size":"","sizes":[]},"object-fit":"","object-fit_tablet":"","object-fit_mobile":"","object-position":"center center","object-position_tablet":"","object-position_mobile":"","opacity":{"unit":"px","size":"","sizes":[]},"css_filters_css_filter":"","css_filters_blur":{"unit":"px","size":0,"sizes":[]},"css_filters_brightness":{"unit":"px","size":100,"sizes":[]},"css_filters_contrast":{"unit":"px","size":100,"sizes":[]},"css_filters_saturate":{"unit":"px","size":100,"sizes":[]},"css_filters_hue":{"unit":"px","size":0,"sizes":[]},"opacity_hover":{"unit":"px","size":"","sizes":[]},"css_filters_hover_css_filter":"","css_filters_hover_blur":{"unit":"px","size":0,"sizes":[]},"css_filters_hover_brightness":{"unit":"px","size":100,"sizes":[]},"css_filters_hover_contrast":{"unit":"px","size":100,"sizes":[]},"css_filters_hover_saturate":{"unit":"px","size":100,"sizes":[]},"css_filters_hover_hue":{"unit":"px","size":0,"sizes":[]},"background_hover_transition":{"unit":"px","size":"","sizes":[]},"hover_animation":"","image_border_border":"","image_border_width":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"image_border_width_tablet":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"image_border_width_mobile":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"image_border_color":"","image_border_radius":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"image_border_radius_tablet":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"image_border_radius_mobile":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"image_box_shadow_box_shadow_type":"","image_box_shadow_box_shadow":{"horizontal":0,"vertical":0,"blur":10,"spread":0,"color":"rgba(0,0,0,0.5)"},"caption_align":"","caption_align_tablet":"","caption_align_mobile":"","text_color":"","caption_background_color":"","caption_typography_typography":"","caption_typography_font_family":"","caption_typography_font_size":{"unit":"px","size":"","sizes":[]},"caption_typography_font_size_tablet":{"unit":"px","size":"","sizes":[]},"caption_typography_font_size_mobile":{"unit":"px","size":"","sizes":[]},"caption_typography_font_weight":"","caption_typography_text_transform":"","caption_typography_font_style":"","caption_typography_text_decoration":"","caption_typography_line_height":{"unit":"px","size":"","sizes":[]},"caption_typography_line_height_tablet":{"unit":"em","size":"","sizes":[]},"caption_typography_line_height_mobile":{"unit":"em","size":"","sizes":[]},"caption_typography_letter_spacing":{"unit":"px","size":"","sizes":[]},"caption_typography_letter_spacing_tablet":{"unit":"px","size":"","sizes":[]},"caption_typography_letter_spacing_mobile":{"unit":"px","size":"","sizes":[]},"caption_typography_word_spacing":{"unit":"px","size":"","sizes":[]},"caption_typography_word_spacing_tablet":{"unit":"em","size":"","sizes":[]},"caption_typography_word_spacing_mobile":{"unit":"em","size":"","sizes":[]},"caption_text_shadow_text_shadow_type":"","caption_text_shadow_text_shadow":{"horizontal":0,"vertical":0,"blur":10,"color":"rgba(0,0,0,0.3)"},"caption_space":{"unit":"px","size":"","sizes":[]},"caption_space_tablet":{"unit":"px","size":"","sizes":[]},"caption_space_mobile":{"unit":"px","size":"","sizes":[]},"_title":"","_margin":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"_margin_tablet":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"_margin_mobile":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"_padding":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"_padding_tablet":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"_padding_mobile":{"unit":"px","top":"","right":"","bottom":"","left":"","isLinked":true},"_element_width":"","_element_width_tablet":"","_element_width_mobile":"","_element_custom_width":{"unit":"%","size":"","sizes":[]},"_element_custom_width_tablet":{"unit":"px","size":"","sizes":[]},"_element_custom_width_mobile":{"unit":"px","size":"","sizes":[]},"_element_vertical_align":"","_element_vertical_align_tablet":"","_element_vertical_align_mobile":"","_position":"","_offset_orientation_h":"start","_offset_x":{"unit":"px","size":0,"sizes":[]},"_offset_x_tablet":{"unit":"px","size":"","sizes":[]},"_offset_x_mobile":{"unit":"px","size":"","sizes":[]},"_offset_x_end":{"unit":"px","size":0,"sizes":[]},"_offset_x_end_tablet":{"unit":"px","size":"","sizes":[]},"_offset_x_end_mobile":{"unit":"px","size":"","sizes":[]},"_offset_orientation_v":"start","_offset_y":{"unit":"px","size":0,"sizes":[]},"_offset_y_tablet":{"unit":"px","size":"","sizes":[]},"_offset_y_mobile":{"unit":"px","size":"","sizes":[]},"_offset_y_end":{"unit":"px","size":0,"sizes":[]},"_offset_y_end_tablet":{"unit":"px","size":"","sizes":[]},"_offset_y_end_mobile":{"unit":"px","size":"","sizes":[]},"_z_index":"","_z_index_tablet":"","_z_index_mobile":"","_element_id":"","_css_classes":"","e_display_conditions":"","motion_fx_motion_fx_scrolling":"","motion_fx_translateY_effect":"","motion_fx_translateY_direction":"","motion_fx_translateY_speed":{"unit":"px","size":4,"sizes":[]},"motion_fx_translateY_affectedRange":{"unit":"%","size":"","sizes":{"start":0,"end":100}},"motion_fx_translateX_effect":"","motion_fx_translateX_direction":"","motion_fx_translateX_speed":{"unit":"px","size":4,"sizes":[]},"motion_fx_translateX_affectedRange":{"unit":"%","size":"","sizes":{"start":0,"end":100}},"motion_fx_opacity_effect":"","motion_fx_opacity_direction":"out-in","motion_fx_opacity_level":{"unit":"px","size":10,"sizes":[]},"motion_fx_opacity_range":{"unit":"%","size":"","sizes":{"start":20,"end":80}},"motion_fx_blur_effect":"","motion_fx_blur_direction":"out-in","motion_fx_blur_level":{"unit":"px","size":7,"sizes":[]},"motion_fx_blur_range":{"unit":"%","size":"","sizes":{"start":20,"end":80}},"motion_fx_rotateZ_effect":"","motion_fx_rotateZ_direction":"","motion_fx_rotateZ_speed":{"unit":"px","size":1,"sizes":[]},"motion_fx_rotateZ_affectedRange":{"unit":"%","size":"","sizes":{"start":0,"end":100}},"motion_fx_scale_effect":"","motion_fx_scale_direction":"out-in","motion_fx_scale_speed":{"unit":"px","size":4,"sizes":[]},"motion_fx_scale_range":{"unit":"%","size":"","sizes":{"start":20,"end":80}},"motion_fx_transform_origin_x":"center","motion_fx_transform_origin_y":"center","motion_fx_devices":["desktop","tablet","mobile"],"motion_fx_range":"","motion_fx_motion_fx_mouse":"","motion_fx_mouseTrack_effect":"","motion_fx_mouseTrack_direction":"","motion_fx_mouseTrack_speed":{"unit":"px","size":1,"sizes":[]},"motion_fx_tilt_effect":"","motion_fx_tilt_direction":"","motion_fx_tilt_speed":{"unit":"px","size":4,"sizes":[]},"sticky":"","sticky_on":["desktop","tablet","mobile"],"sticky_offset":0,"sticky_offset_tablet":"","sticky_offset_mobile":"","sticky_effects_offset":0,"sticky_effects_offset_tablet":"","sticky_effects_offset_mobile":"","sticky_parent":"","_animation":"","_animation_tablet":"","_animation_mobile":"","animation_duration":"","_animation_delay":"","_transform_rotate_popover":"","_transform_rotateZ_effect":{"unit":"px","size":"","sizes":[]},"_transform_rotateZ_effect_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_rotateZ_effect_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_rotate_3d":"","_transform_rotateX_effect":{"unit":"px","size":"","sizes":[]},"_transform_rotateX_effect_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_rotateX_effect_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_rotateY_effect":{"unit":"px","size":"","sizes":[]},"_transform_rotateY_effect_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_rotateY_effect_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_perspective_effect":{"unit":"px","size":"","sizes":[]},"_transform_perspective_effect_tablet":{"unit":"px","size":"","sizes":[]},"_transform_perspective_effect_mobile":{"unit":"px","size":"","sizes":[]},"_transform_translate_popover":"","_transform_translateX_effect":{"unit":"px","size":"","sizes":[]},"_transform_translateX_effect_tablet":{"unit":"px","size":"","sizes":[]},"_transform_translateX_effect_mobile":{"unit":"px","size":"","sizes":[]},"_transform_translateY_effect":{"unit":"px","size":"","sizes":[]},"_transform_translateY_effect_tablet":{"unit":"px","size":"","sizes":[]},"_transform_translateY_effect_mobile":{"unit":"px","size":"","sizes":[]},"_transform_scale_popover":"","_transform_keep_proportions":"yes","_transform_scale_effect":{"unit":"px","size":"","sizes":[]},"_transform_scale_effect_tablet":{"unit":"px","size":"","sizes":[]},"_transform_scale_effect_mobile":{"unit":"px","size":"","sizes":[]},"_transform_scaleX_effect":{"unit":"px","size":"","sizes":[]},"_transform_scaleX_effect_tablet":{"unit":"px","size":"","sizes":[]},"_transform_scaleX_effect_mobile":{"unit":"px","size":"","sizes":[]},"_transform_scaleY_effect":{"unit":"px","size":"","sizes":[]},"_transform_scaleY_effect_tablet":{"unit":"px","size":"","sizes":[]},"_transform_scaleY_effect_mobile":{"unit":"px","size":"","sizes":[]},"_transform_skew_popover":"","_transform_skewX_effect":{"unit":"px","size":"","sizes":[]},"_transform_skewX_effect_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_skewX_effect_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_skewY_effect":{"unit":"px","size":"","sizes":[]},"_transform_skewY_effect_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_skewY_effect_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_flipX_effect":"","_transform_flipY_effect":"","_transform_rotate_popover_hover":"","_transform_rotateZ_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_rotateZ_effect_hover_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_rotateZ_effect_hover_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_rotate_3d_hover":"","_transform_rotateX_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_rotateX_effect_hover_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_rotateX_effect_hover_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_rotateY_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_rotateY_effect_hover_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_rotateY_effect_hover_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_perspective_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_perspective_effect_hover_tablet":{"unit":"px","size":"","sizes":[]},"_transform_perspective_effect_hover_mobile":{"unit":"px","size":"","sizes":[]},"_transform_translate_popover_hover":"","_transform_translateX_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_translateX_effect_hover_tablet":{"unit":"px","size":"","sizes":[]},"_transform_translateX_effect_hover_mobile":{"unit":"px","size":"","sizes":[]},"_transform_translateY_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_translateY_effect_hover_tablet":{"unit":"px","size":"","sizes":[]},"_transform_translateY_effect_hover_mobile":{"unit":"px","size":"","sizes":[]},"_transform_scale_popover_hover":"","_transform_keep_proportions_hover":"yes","_transform_scale_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_scale_effect_hover_tablet":{"unit":"px","size":"","sizes":[]},"_transform_scale_effect_hover_mobile":{"unit":"px","size":"","sizes":[]},"_transform_scaleX_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_scaleX_effect_hover_tablet":{"unit":"px","size":"","sizes":[]},"_transform_scaleX_effect_hover_mobile":{"unit":"px","size":"","sizes":[]},"_transform_scaleY_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_scaleY_effect_hover_tablet":{"unit":"px","size":"","sizes":[]},"_transform_scaleY_effect_hover_mobile":{"unit":"px","size":"","sizes":[]},"_transform_skew_popover_hover":"","_transform_skewX_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_skewX_effect_hover_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_skewX_effect_hover_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_skewY_effect_hover":{"unit":"px","size":"","sizes":[]},"_transform_skewY_effect_hover_tablet":{"unit":"deg","size":"","sizes":[]},"_transform_skewY_effect_hover_mobile":{"unit":"deg","size":"","sizes":[]},"_transform_flipX_effect_hover":"","_transform_flipY_effect_hover":"","_transform_transition_hover":{"unit":"px","size":"","sizes":[]},"motion_fx_transform_x_anchor_point":"","motion_fx_transform_x_anchor_point_tablet":"","motion_fx_transform_x_anchor_point_mobile":"","motion_fx_transform_y_anchor_point":"","motion_fx_transform_y_anchor_point_tablet":"","motion_fx_transform_y_anchor_point_mobile":"","_background_background":"","_background_color":"","_background_color_stop":{"unit":"%","size":0,"sizes":[]},"_background_color_stop_tablet":{"unit":"%"},"_background_color_stop_mobile":{"unit":"%"},"_background_color_b":"#f2295b","_background_color_b_stop":{"unit":"%","size":100,"sizes":[]},"_background_color_b_stop_tablet":{"unit":"%"},"_background_color_b_stop_mobile":{"unit":"%"},"_background_gradient_type":"linear","_background_gradient_angle":{"unit":"deg","size":180,"sizes":[]},"_background_gradient_angle_tablet":{"unit":"deg"},"_background_gradient_angle_mobile":{"unit":"deg"},"_background_gradient_position":"center center","_background_gradient_position_tablet":"","_background_gradient_position_mobile":"","_background_image":{"url":"","id":"","size":""},"_background_image_tablet":{"url":"","id":"","size":""},"_background_image_mobile":{"url":"

The Ultimate Scope Guidebook

Be sure to tune in for Part 2 when we tackle the cardholder data flow diagrams.

Discover more from Payment Card Assesments

Subscribe to get the latest posts sent to your email.

Tags: , , , , , , ,

Blog Posts

27 Feb 2023
PCI DSS, PCI Report on Compliance

5 PCI Compliance Headaches You Can Live Without

If PCI Compliance were easy, every organization would be doing it, right?

But it’s not.

The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.

Why?

There are so many reasons. Where do we start?

Let’s start with the 5 PCI Compliance headaches everyone can live without.

Leave a Reply

Discover more from Payment Card Assesments

Subscribe now to keep reading and get access to the full archive.

Continue reading