Network data flow diagrams are essential to understanding the flow of account data into, within, and outside of an organization’s data handling assets—and achieving PCI compliance. Beyond tracking the flow of account data within networks, network data flow diagrams also help secure cardholder data environments from potentially malicious traffic. Read on to learn more.
How to Optimize PCI Compliance with Network Flow Diagrams
Network data flow diagrams can be leveraged to optimize PCI compliance and secure cardholder data (CHD) wherever it is located within a CHD environment (CDE).
This blog will focus on how to:
- Construct PCI-compliant network data flow diagrams
- Leverage network data flow diagrams to secure CHD
The positioning of network data flow diagrams within the overall CDE is critical to managing PCI data security risks and mitigating data breaches. Working with a PCI compliance advisor will help you configure network data flow diagrams to meet your data security needs.
Breakdown of the PCI DSS Requirements
Compliance with the Payment Card Industry (PCI) Data Security Standards (DSS) is critical to securing CHD from points of collection until it is destroyed or transmitted outside of your organization’s CDE. The 12 requirements of the PCI DSS v4.0 include:
- Requirement 1 – Implement secure networks
- Requirement 2 – Secure system components
- Requirement 3 – Safeguard the storage of account data
- Requirement 4 – Secure CHD transmission over unsecured networks
- Requirement 5 – Deploy anti-malware controls on systems and networks
- Requirement 6 – Safeguard systems and software
- Requirement 7 – Securely manage access to systems and CHD
- Requirement 8 – Implement user identification and access authentication processes
- Requirement 9 – Safeguard physical access to CHD
- Requirement 10 – Monitor user access to systems and CHD
- Requirement 11 – Test networks and systems for security threats
- Requirement 12 – Establish a PCI security policy
Requirements 1, 4, 11, and 12 of the PCI DSS pertain to network data flow diagrams and will help strengthen the security of CDE. The guidelines stipulated by the PCI DSS requirements apply to any organization that handles CHD—regardless of industry—and mitigate breaches.
What are Network Data Flow Diagrams?
A network diagram describes the connections between various components in an organization’s IT infrastructure. Within a cybersecurity program, network diagrams are critical to gaining visibility into the flow of data between networked components.
Network Diagrams and Topologies
Network diagrams are typically classified under two topologies:
- Physical topology – Network diagrams in physical topologies describe the central connections of components to a hub, such as a central server. Components of a physical topology include:
- Servers that store data or host cloud-based components
- Computers (e.g., laptops, workstations) where personnel can access networks
- Endpoints (e.g., mobile devices) that can be accessed outside secure networks
- Routers that act as network hubs
- Logical topology – Network diagrams in logical topologies represent the flow of data across networks via components such as:
- IP addresses connecting networked devices
- Cables connecting physical devices
The most effective network diagrams are those that are constructed with an understanding of an organization’s network topologies.
Components of a Network Data Flow Diagram
When CHD is processed by an organization, network data flow diagrams represent the flow of CHD from one component to another within the IT infrastructure.
Components of a network data flow diagram may include:
- Applications (connected to internal or external networks), such as:
- Web applications
- Cloud-hosted applications
- Systems networked to CDE, such as:
- Data processing systems
- Security systems
- Segmentation systems
- Network components such as:
- Network security controls (NSCs)
- Wireless access points
It is critical that all networked components within the scope of the PCI DSS are identified during the construction of network data flow diagrams and included in the representations of data flowing into and out of the CDE.
Connections Within a Cardholder Data Flow Diagram
For an organization to be compliant with Requirement 1, a network data flow diagram should, at minimum, include all connection points through which data enters or exits the organization’s network. In an effective cardholder data flow diagram, examples of connection points include:
- Channels at which CHD is collected and accepted, such as:
- Card-present terminals
- Card-not-present terminals
- E-commerce channels
- Stages at which CHD is processed, including the:
- Authorization of a user’s CHD accounts
- Collection of CHD at payment terminals
- Settlement of payment accounts
- Refunds of card payments
- Methods by which CHD is received or transmitted, such as:
- Hard copy media
- Online forms
- Short- and long-term storage locations of CHD
- Sources of CHD such as:
- Third-party vendors
- Details surrounding the updates made to cardholder data flow diagrams, including:
- Personnel who made the updates
- Chain of approval for all updates
- Dates of the most recent update
How Can Network Data Flow Diagrams Secure CHD?
By providing visibility into connections to sensitive CDE, network data flow diagrams streamline the processes for securing networks connected to sensitive CDE and encrypting CHD that may come into contact with networks outside the defined PCI scope.
Network Data Flow Diagrams and Network Security
When constructing a PCI data flow diagram, network security should remain at the forefront from start to finish. To secure account data, network data flow diagrams should include:
- Locations of CDE, physical or otherwise, such as:
- Retail locations where CHD is collected
- Data centers that handle CHD
- Servers hosting cloud provider services
- Clearly labeled network segments for all networked components within the CDE
- Segmentation controls and their unique identifiers
- System components within PCI scope, such as:
- Web application firewalls
- Anti-malware tools
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
- Payment terminals and applications
- Clearly labeled system components outside of PCI scope
- Logs of changes made to the diagram, including:
- Who made or approved the changes
- Dates of the most recent updates
- Well-illustrated legends to explain the network data flow diagram
It is critical that network data flow diagrams are routinely updated by authorized personnel to capture the most accurate description of the flow of data within your networks and minimize vulnerability risks within the sensitive CDE.
Network Data Flow Diagrams and Account Data Encryption
PCI DSS Requirement 4 mandates the encryption of CHD during its transmission across unsecured networks. One of the most sensitive components of CHD is the primary account numbers (PANs), whose exposure can compromise the overall integrity of CHD. Network data flow diagrams are critical to identifying which connection points must be encrypted during the transmission of PAN across internal or external networks.
Once connection points are identified and mapped via the network data flow diagram, PAN transmission should be encrypted via:
- Trusted cryptographic keys and security certificates
- Secure configurations of cryptographic keys and algorithms
- Strong encryption tools that meet or surpass industry standards
With the help of a network data flow diagram, you will secure networks from data breach risks and bolster the security posture of your sensitive CDE.
Broader Security Benefits of Network Data Flow Diagrams
Beyond optimizing network security and CHD encryption, network data flow diagrams enhance:
- Network testing – PCI DSS Requirement 11 mandates routine testing of networks used to transmit CHD. Network data flow diagrams will help optimize network testing by identifying connections at:
- Critical points within the CDE
- The perimeter of the CDE
- Change management – For the robust implementation of a PCI security policy (per DSS Requirement 12), network data flow diagrams will help manage changes to the flow of CHD into and out of the CDE.
However, it is critical that all network data flow diagrams are kept up-to-date with your current security implementations to minimize any lapses in security oversight. Working with a PCI compliance advisor will help you design PCI-compliant network data flow diagrams.
Optimize Your PCI Network Security ROI
As a critical component of a PCI-compliant network, network data flow diagrams will help secure CHD and strengthen your data security posture. With the help of a leading PCI compliance partner like RSI Security, you will optimize network security and minimize vulnerabilities to sensitive CHD environments. Contact RSI Security today to learn more!
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.