PCI DSS

The PCI DSS 4.0 timeline began in March 2022, marking the official start of the transition period for organizations to meet the new compliance requirements. This latest version of the Payment Card Industry Data Security Standard (PCI DSS) introduces updated controls to strengthen data protection and reduce payment security risks. But what does this timeline mean for your organization, and how long do you have to achieve full PCI DSS 4.0 compliance?

 Ensuring compliance with PCI requirements is essential for protecting sensitive cardholder data (CHD) in data centers. PCI compliance data center requirements provide organizations with clear standards to safeguard CHD, reduce breach risks, and optimize their security practices according to the PCI DSS. Keep reading to understand what data centers must do to stay fully compliant.

If your organization processes, transmits, or stores card payment data, following the PCI key management requirements is essential to protect sensitive cardholder information. These PCI DSS guidelines provide best practices for generating, storing, distributing, and retiring encryption keys, ensuring that card payment data remains secure.

Read on to learn how your organization can implement effective key management strategies to maintain PCI compliance and reduce the risk of data breaches.

The Payment Card Industry’s (PCI) Data Security Standards (DSS) regulate the protection of cardholder data. All organizations that collect, store, transmit, or process data—termed “merchants”—must comply with DSS Requirements. And having a PCI DSS network diagram that visually represents cardholder data environments (CDE) is needed as part of your compliance efforts.

 

PCI DSS Network Diagrams

Network diagrams are explicitly specified within the PCI DSS subrequirements and certain annual compliance reports:

• PCI DSS Requirement 1.1.2
• PCI DSS Requirement 1.1.3
• Report on Compliance (ROC)
• Some Self-Assessment Questionnaire (SAQ) versions

The PCI DSS applies to all merchants. Therefore, all organizations subject to PCI DSS regulations must create and maintain network diagrams. However, not every merchant must submit them. Including a PCI DSS network diagram as part of your documentation depends on your yearly reporting requirements.

As a PCI compliance expert, RSI Security can assist your network diagram creation and updates, along with all other DSS adherence and reporting efforts.

 

What is a Network Diagram?

A network diagram is simply the visual representation of your organization’s computer network and may adopt a high-level or detailed view. A PCI network diagram must include all cardholder data environments, connected networks, and other connected IT resources in its scope.

 

Request a Free Consultation

 

Network Diagrams as Required by the PCI DSS—1.1.2 and 1.1.3

The PCI DSS specifies network diagrams as obligatory in Requirements 1.1.2 and 1.1.3, mandating two different diagrams:

• 1.1.2 – “Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.”
• 1.1.3 – “Current diagram that shows all cardholder data flows across systems and networks.”

Requirements 1.1.2 and 1.1.3 Testing Procedures

Beyond specifying the DSS Requirements, the PCI Security Standards Council (SSC) provides testing procedures for merchants to check and verify their compliance efforts. Requirements 1.1.2 and 1.1.3’s testing procedures require verifying that all network and data-flow diagrams remain up-to-date and comprehensive. These efforts explicitly include interviewing relevant personnel for confirmation.

Merchants should perform these testing procedures (or partner with a PCI DSS expert) periodically and following any network or CDE changes to maintain compliance.

 

Creating a PCI Network Segmentation Diagram

Organizations can segment—or separate via additional controls—their networks and connected CDEs to reduce PCI DSS scope and simplify their compliance efforts. To initiate and maintain this effort, a PCI network segmentation diagram is invaluable.

Proper segmentation is achieved through purpose-built or implemented control processes and technologies (e.g., firewalls). It prevents communication and connection between the CDE and an organization’s other IT environments, systems, and resources.

When creating network diagrams, segmentation technologies should be included as CDE boundaries and demonstrate that no traffic is permitted.

 

Network Diagrams for Annual PCI DSS Reporting

All PCI DSS-subject merchants must submit annual reporting documentation to verify their ongoing compliance. Some reports must contain network diagrams within the submitted documentation, the inclusion of which depends on an organization’s annual transaction volume and cardholder data activity.

 

Report on Compliance (ROC) Network Diagrams

The PCI DSS-subject companies that handle the most transactions annually (merchants processing over six million transactions across all channels, per SSC member Visa) must submit a Report on Compliance. ROCs are compiled following a thorough PCI DSS audit that must be conducted by an SSC-approved Qualified Security Assessor (QSA), such as RSI Security.

 

PCI DSS Network Diagram Example for ROCs

ROCs require organizations to provide two network diagrams: high-level and detailed. According to the PCI-provided ROC Template, PCI DSS network diagram example for each type must include:

• High-level network diagrams – Overall CDE architecture and network topography (summarizing all locations, relevant systems, and their boundaries), including:
  • Inbound and outbound network connections and the demarcation points between the CDE(s) and other networks and zones
  • CDE critical components, including relevant POS devices, systems, databases, and web servers
  • Other necessary payment components
• Detailed network diagrams – Communication and connection points between in-scope networks, environments, and facilities, including:
  • All CDE boundaries
  • Any network segmentation points that reduce PCI DSS compliance scope
  • Trusted and untrusted network boundaries
  • Connected networks (wireless and wired)
  • All other applicable connection points

Self-Assessment Questionnaires (SAQs) Requiring Network Diagrams

All organizations that handle fewer than six million annual transactions must complete and submit yearly SAQs. The PCI SSC provides nine different SAQ versions, each specific to business activity and cardholder data interactions.

Four SAQ versions specifically ask whether the given organization maintains a current network diagram:

• Version A-EP – For e-commerce merchants that have outsourced all payment processing to a PCI DSS-validated third party so that no cardholder data is electronically stored, processed, transmitted via their systems or on their premises.
• Version B – For merchants that only use imprint machines or standalone, dial-out terminals (with no electronic cardholder data storage).
• Version D (for merchants) – For merchants that do not meet the criteria for other SAQ versions
• Version D (for service providers) – For any service provider that a payment card brand has defined as subject to the PCI DSS and annual SAQ submission

 

Creating and Maintaining PCI DSS Network Diagrams

Up-to-date and comprehensive PCI DSS network diagrams are required for compliance, regardless of whether your organization’s annual reports must include them within the submitted documentation. Though already mandatory, network diagrams provide a significantly helpful reference for understanding your organization’s PCI DSS scope (and reducing it via segmentation).

RSI Security leverages our extensive experience with PCI DSS compliance as an SSC-approved Qualified Security Assessor to advise and assist organizations. 

Contact RSI Security today to begin creating or updating your PCI network diagram.

 

---

Speak with a PCI compliance expert today – Schedule a free consultation

eCommerce businesses that process large volumes of card payment transactions must protect the sensitive data involved. Strong SSL security and PCI compliance for eCommerce practices can minimize data breach risks and enhance your overall eCommerce cybersecurity. Read on to learn about the top challenges and considerations.

Ongoing PCI DSS adherence mandates that applicable organizations complete security assessments to verify compliance. Although a Qualified Security Assessor (QSA) will conduct onsite compliance audits and attestations, you may be eligible for a PCI DSS remote assessment. Read on to learn if you’re eligible.

Organization-wide adherence to PCI compliance is critical to protecting sensitive cardholder data from cybersecurity threats. PCI certification training can help increase employee awareness and understanding of PCI security frameworks, ultimately strengthening your organization’s PCI data security. Read on to learn more about the various PCI certification training modules.

Payment Card Industry (PCI) compliance reporting is required for all organizations that process credit and debit card payments. Depending on PCI Level, organizations are required to report on compliance by having a Qualified Security Assessor (QSA) complete an Attestation of Compliance (AOC). Read on to learn about top AOC PCI compliance considerations.

 Payment Card Industry (PCI) compliance is required for security and stability of all card-related transactions, regardless of industry. The Data Security Standard (DSS) as stipulated by the PCI is broken down into 12 primary requirements; this article will detail PCI DSS Requirement 8, which focuses on identifying and authenticating all access to system components. Below, we’ll examine all controls and measures for compliance within Requirement 8’s sub-requirements.

Any organization that handles cardholder data (CHD) is required to follow the Data Security Standards (DSS) established by the Payment Card Industry (PCI). These rules and regulations play a critical role in protecting networks and CHD environments (CDE) from internal and external threats alike. However, their effectiveness can depend on your staff following a few PCI DSS best practices.