The Payment Card Industry’s (PCI) Data Security Standards (DSS) regulate the protection of cardholder data. All organizations that collect, store, transmit, or process data—termed “merchants”—must comply with DSS Requirements. And having a PCI DSS network diagram that visually represents cardholder data environments (CDE) is needed as part of your compliance efforts.
PCI DSS Network Diagrams
Network diagrams are explicitly specified within the PCI DSS subrequirements and certain annual compliance reports:
- PCI DSS Requirement 1.1.2
- PCI DSS Requirement 1.1.3
- Report on Compliance (ROC)
- Some Self-Assessment Questionnaire (SAQ) versions
The PCI DSS applies to all merchants. Therefore, all organizations subject to PCI DSS regulations must create and maintain network diagrams. However, not every merchant must submit them. Including a PCI DSS network diagram as part of your documentation depends on your yearly reporting requirements.
As a PCI compliance expert, RSI Security can assist your network diagram creation and updates, along with all other DSS adherence and reporting efforts.
What is a Network Diagram?
A network diagram is simply the visual representation of your organization’s computer network and may adopt a high-level or detailed view. A PCI network diagram must include all cardholder data environments, connected networks, and other connected IT resources in its scope.
Network Diagrams as Required by the PCI DSS—1.1.2 and 1.1.3
The PCI DSS specifies network diagrams as obligatory in Requirements 1.1.2 and 1.1.3, mandating two different diagrams:
- 1.1.2 – “Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.”
- 1.1.3 – “Current diagram that shows all cardholder data flows across systems and networks.”
Requirements 1.1.2 and 1.1.3 Testing Procedures
Beyond specifying the DSS Requirements, the PCI Security Standards Council (SSC) provides testing procedures for merchants to check and verify their compliance efforts. Requirements 1.1.2 and 1.1.3’s testing procedures require verifying that all network and data-flow diagrams remain up-to-date and comprehensive. These efforts explicitly include interviewing relevant personnel for confirmation.
Merchants should perform these testing procedures (or partner with a PCI DSS expert) periodically and following any network or CDE changes to maintain compliance.
Creating a PCI Network Segmentation Diagram
Organizations can segment—or separate via additional controls—their networks and connected CDEs to reduce PCI DSS scope and simplify their compliance efforts. To initiate and maintain this effort, a PCI network segmentation diagram is invaluable.
Proper segmentation is achieved through purpose-built or implemented control processes and technologies (e.g., firewalls). It prevents communication and connection between the CDE and an organization’s other IT environments, systems, and resources.
When creating network diagrams, segmentation technologies should be included as CDE boundaries and demonstrate that no traffic is permitted.
Network Diagrams for Annual PCI DSS Reporting
All PCI DSS-subject merchants must submit annual reporting documentation to verify their ongoing compliance. Some reports must contain network diagrams within the submitted documentation, the inclusion of which depends on an organization’s annual transaction volume and cardholder data activity.
Report on Compliance (ROC) Network Diagrams
The PCI DSS-subject companies that handle the most transactions annually (merchants processing over six million transactions across all channels, per SSC member Visa) must submit a Report on Compliance. ROCs are compiled following a thorough PCI DSS audit that must be conducted by an SSC-approved Qualified Security Assessor (QSA), such as RSI Security.
PCI DSS Network Diagram Example for ROCs
ROCs require organizations to provide two network diagrams: high-level and detailed. According to the PCI-provided ROC Template, PCI DSS network diagram example for each type must include:
- High-level network diagrams – Overall CDE architecture and network topography (summarizing all locations, relevant systems, and their boundaries), including:
- Inbound and outbound network connections and the demarcation points between the CDE(s) and other networks and zones
- CDE critical components, including relevant POS devices, systems, databases, and web servers
- Other necessary payment components
- Detailed network diagrams – Communication and connection points between in-scope networks, environments, and facilities, including:
- All CDE boundaries
- Any network segmentation points that reduce PCI DSS compliance scope
- Trusted and untrusted network boundaries
- Connected networks (wireless and wired)
- All other applicable connection points
Self-Assessment Questionnaires (SAQs) Requiring Network Diagrams
All organizations that handle fewer than six million annual transactions must complete and submit yearly SAQs. The PCI SSC provides nine different SAQ versions, each specific to business activity and cardholder data interactions.
Four SAQ versions specifically ask whether the given organization maintains a current network diagram:
- Version A-EP – For e-commerce merchants that have outsourced all payment processing to a PCI DSS-validated third party so that no cardholder data is electronically stored, processed, transmitted via their systems or on their premises.
- Version B – For merchants that only use imprint machines or standalone, dial-out terminals (with no electronic cardholder data storage).
- Version D (for merchants) – For merchants that do not meet the criteria for other SAQ versions
- Version D (for service providers) – For any service provider that a payment card brand has defined as subject to the PCI DSS and annual SAQ submission
Creating and Maintaining PCI DSS Network Diagrams
Up-to-date and comprehensive PCI DSS network diagrams are required for compliance, regardless of whether your organization’s annual reports must include them within the submitted documentation. Though already mandatory, network diagrams provide a significantly helpful reference for understanding your organization’s PCI DSS scope (and reducing it via segmentation).
RSI Security leverages our extensive experience with PCI DSS compliance as an SSC-approved Qualified Security Assessor to advise and assist organizations.
Contact RSI Security today to begin creating or updating your PCI network diagram.