Maintaining network documentation for PCI Compliance

Maintaining network documentation for PCI Compliance. The PCI Data Security Standard (PCI DSS) is a set of about 200 prescriptive technical and process-centric requirements intended to help organizations proactively secure credit card data. Entities that store, process or transmit credit card data, including merchants, service providers and card issuers of all sizes, are required to comply with the PCI DSS.

In order to determine PCI scope within an organization, detailed diagrams showing network topology, including all key in-scope systems and network devices, should be regularly maintained. This documentation will provide critical input for planning any changes to network segmentation and traffic restrictions.

The time, resources, and money required for an organization to achieve PCI compliance can be greatly reduced by adjusting network segmentation to isolate any systems involved in the processing, storing, and transmitting of credit card data, and their supporting systems.

I have worked with some clients who do not have properly maintained network documentation. Some of those clients have proceeded with achieving PCI Compliance with an improperly defined scope. Unfortunately, those clients will most likely have to redo efforts and make changes to their environment at an additional cost of time, effort, and possibly money. Understanding your network architecture and how network traffic passes through your environment is crucial to maintaining a secure environment. Part of this process needs to address credit card data flow documentation. Documenting how credit card data flows through your environment, coupled with detailed network topology diagrams and traffic restriction documentation, will provide you with the information needed to make well-informed decisions regarding network segmentation in relation to PCI.

If an organization that must maintain PCI compliance acquires or merges with another organization, it may be beneficial for all parties to incorporate the development of network documentation into the M&A process. By doing this, both parties can ensure that compliance polices are being maintained through a unified compliance framework.

Viviana Dragu, PCI QSA
Consultant, PCI Compliance Services

PCI DSS Requirements

PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.

Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1

Unpacking the New PCI DSS Password Standards

Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?

What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?

What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?

PCI SSC Updates SAQ A: Removal of Key eCommerce Security and New Eligibility Criteria – Requirements 6.4.3, 11.6.1, 12.3.1

The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2

How PCI DSS 4.0.1 Tackles Service Account Vulnerabilities – Requirements 8.6.1, 7.2.5.1, 8.6.2, 8.6.3, 10.2.1.2

Are You Keeping an Inventory of Cipher Suites and Certificates for the New PCI DSS – Requirements 12.3.3, 4.2.1.1?

How to Analyze An Attestation of Compliance (AOC)

PCI Compliance New Requirements and Targeted Risk Analysis (TRA)