Compliance with the PCI DSS Requirements is critical to securing card payment transactions and safeguarding the sensitivity of cardholder data. Per the PCI physical security requirements, organizations that process cardholder data must secure all physical access to the cardholder data to minimize unauthorized access and mitigate data breaches. Read on to learn more.
Cardholder and payment data are prime targets of digital attacks. Establishing and maintaining a secure network is essential to handling, storing, and processing this data safely. PCI Security Standards exist to guide the entities that handle this data on how to protect it thoroughly. This guide will introduce the standards and their goals and cover best practices for meeting PCI compliance network security requirements.
If your organization processes, transmits, or stores card payment data, you must comply with the PCI DSS guidelines to safeguard the sensitivity of card payment transactions. The guidelines listed in the PCI compliance key management requirements will help secure any sensitive card payment data you store or process. Read on to learn more.
The Payment Card Industry’s (PCI) Security Standards Council (SSC) requires companies who process card and electronic payments to maintain compliance with regulations that protect cardholder data. To demonstrate that they continually comply with the Data Security Standard (DSS) and any other applicable standards, companies must pass a quarterly PCI compliance scan conducted by an Approved Scanning Vendor (ASV). Continue reading for a walkthrough and preparation tips regarding how to pass PCI compliance scan testing.
According to the payment card industry’s (PCI) Data Security Standards (DSS), organizations must minimize the breach risks to cardholder data (CHD), including sensitive authentication data. Specifically for PCI compliance, sensitive authentication data requirements generally stipulate that organizations may not store magnetic stripe data, personal identification numbers (PINs), and card verification values (CVVs).
The Payment Card Industry’s (PCI) Data Security Standards (DSS) regulate the protection of cardholder data. All organizations that collect, store, transmit, or process data—termed “merchants”—must comply with DSS Requirements. And having a PCI DSS network diagram that visually represents cardholder data environments (CDE) is needed as part of your compliance efforts.
PCI DSS Network Diagrams
Network diagrams are explicitly specified within the PCI DSS subrequirements and certain annual compliance reports:
- PCI DSS Requirement 1.1.2
- PCI DSS Requirement 1.1.3
- Report on Compliance (ROC)
- Some Self-Assessment Questionnaire (SAQ) versions
The PCI DSS applies to all merchants. Therefore, all organizations subject to PCI DSS regulations must create and maintain network diagrams. However, not every merchant must submit them. Including a PCI DSS network diagram as part of your documentation depends on your yearly reporting requirements.
As a PCI compliance expert, RSI Security can assist your network diagram creation and updates, along with all other DSS adherence and reporting efforts.
What is a Network Diagram?
A network diagram is simply the visual representation of your organization’s computer network and may adopt a high-level or detailed view. A PCI network diagram must include all cardholder data environments, connected networks, and other connected IT resources in its scope.
Network Diagrams as Required by the PCI DSS—1.1.2 and 1.1.3
The PCI DSS specifies network diagrams as obligatory in Requirements 1.1.2 and 1.1.3, mandating two different diagrams:
- 1.1.2 – “Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.”
- 1.1.3 – “Current diagram that shows all cardholder data flows across systems and networks.”
Requirements 1.1.2 and 1.1.3 Testing Procedures
Beyond specifying the DSS Requirements, the PCI Security Standards Council (SSC) provides testing procedures for merchants to check and verify their compliance efforts. Requirements 1.1.2 and 1.1.3’s testing procedures require verifying that all network and data-flow diagrams remain up-to-date and comprehensive. These efforts explicitly include interviewing relevant personnel for confirmation.
Merchants should perform these testing procedures (or partner with a PCI DSS expert) periodically and following any network or CDE changes to maintain compliance.
Creating a PCI Network Segmentation Diagram
Organizations can segment—or separate via additional controls—their networks and connected CDEs to reduce PCI DSS scope and simplify their compliance efforts. To initiate and maintain this effort, a PCI network segmentation diagram is invaluable.
Proper segmentation is achieved through purpose-built or implemented control processes and technologies (e.g., firewalls). It prevents communication and connection between the CDE and an organization’s other IT environments, systems, and resources.
When creating network diagrams, segmentation technologies should be included as CDE boundaries and demonstrate that no traffic is permitted.
Network Diagrams for Annual PCI DSS Reporting
All PCI DSS-subject merchants must submit annual reporting documentation to verify their ongoing compliance. Some reports must contain network diagrams within the submitted documentation, the inclusion of which depends on an organization’s annual transaction volume and cardholder data activity.
Report on Compliance (ROC) Network Diagrams
The PCI DSS-subject companies that handle the most transactions annually (merchants processing over six million transactions across all channels, per SSC member Visa) must submit a Report on Compliance. ROCs are compiled following a thorough PCI DSS audit that must be conducted by an SSC-approved Qualified Security Assessor (QSA), such as RSI Security.
PCI DSS Network Diagram Example for ROCs
ROCs require organizations to provide two network diagrams: high-level and detailed. According to the PCI-provided ROC Template, PCI DSS network diagram example for each type must include:
- High-level network diagrams – Overall CDE architecture and network topography (summarizing all locations, relevant systems, and their boundaries), including:
- Inbound and outbound network connections and the demarcation points between the CDE(s) and other networks and zones
- CDE critical components, including relevant POS devices, systems, databases, and web servers
- Other necessary payment components
- Detailed network diagrams – Communication and connection points between in-scope networks, environments, and facilities, including:
- All CDE boundaries
- Any network segmentation points that reduce PCI DSS compliance scope
- Trusted and untrusted network boundaries
- Connected networks (wireless and wired)
- All other applicable connection points
Self-Assessment Questionnaires (SAQs) Requiring Network Diagrams
All organizations that handle fewer than six million annual transactions must complete and submit yearly SAQs. The PCI SSC provides nine different SAQ versions, each specific to business activity and cardholder data interactions.
Four SAQ versions specifically ask whether the given organization maintains a current network diagram:
- Version A-EP – For e-commerce merchants that have outsourced all payment processing to a PCI DSS-validated third party so that no cardholder data is electronically stored, processed, transmitted via their systems or on their premises.
- Version B – For merchants that only use imprint machines or standalone, dial-out terminals (with no electronic cardholder data storage).
- Version D (for merchants) – For merchants that do not meet the criteria for other SAQ versions
- Version D (for service providers) – For any service provider that a payment card brand has defined as subject to the PCI DSS and annual SAQ submission
Creating and Maintaining PCI DSS Network Diagrams
Up-to-date and comprehensive PCI DSS network diagrams are required for compliance, regardless of whether your organization’s annual reports must include them within the submitted documentation. Though already mandatory, network diagrams provide a significantly helpful reference for understanding your organization’s PCI DSS scope (and reducing it via segmentation).
RSI Security leverages our extensive experience with PCI DSS compliance as an SSC-approved Qualified Security Assessor to advise and assist organizations.
Contact RSI Security today to begin creating or updating your PCI network diagram.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.
The Payment Card Industry Security Standards Council (PCI SSC) requires all organizations that process card payments to secure sensitive payment account data. These organizations can minimize breach risks to cardholder data (CHD) and sensitive authentication data by complying with PCI frameworks, the most important of which is the PCI Data Security Standards (DSS). Implementing a PCI information security policy can help DSS-subject organizations secure sensitive payment account data.
The Payment Card Industry Security Standards Council (PCI SSC) requires all organizations that process card payments to protect cardholder data (CHD) and sensitive authentication data (SAD) from breach risks. PCI compliance testing is one of the best strategies to protect valuable CHD and SAD, requiring organizations to regularly test and scan systems to identify vulnerabilities.
The Payment Card Industry Data Security Standards (PCI DSS) is the most widely applicable PCI compliance framework that protects the security of card payment transactions. The PCI DSS stipulates requirements for protecting sensitive card payment data through storage, processing, or transmission activities. Nearly all organizations that conduct these activities must comply with the PCI DSS framework. Read on for a comprehensive walkthrough of the PCI DSS.
The Payment Card Industry Data Security Standards (PCI DSS) Requirements provide guidelines to protect cardholder data from exposure during card payment transactions. Organizations that process card payments must comply with the PCI DSS masking requirements to minimize breach risks to cardholder data. Read on to learn more.