Maintaining network documentation for PCI Compliance. The PCI Data Security Standard (PCI DSS) is a set of about 200 prescriptive technical and process-centric requirements intended to help organizations proactively secure credit card data.  Entities that store, process or transmit credit card data, including merchants, service providers and card issuers of all sizes, are required to comply with the PCI DSS.

In order to determine PCI scope within an organization, detailed diagrams showing network topology, including all key in-scope systems and network devices should be regularly maintained.  This documentation will provide critical input for planning any changes to network segmentation and traffic restrictions.

The time, resources and money required for an organization to achieve PCI compliance can be greatly reduced by adjusting network segmentation to isolate any systems involved in the processing, storing and transmitting of credit card data, and their supporting systems.

I have worked with some clients that do not have properly maintained network documentation.  Some of those clients have proceeded with achieving PCI Compliance with an improperly defined scope.  Unfortunately, those clients will most likely have to redo efforts and make changes to their environment at an additional cost of time, effort, and possibly money.  Understanding your network architecture, and how network traffic is passing through your environment, is crucial to maintaining a secure environment.  Part of this process needs to address credit card data flow documentation.  Documenting how credit card data flows through your environment, coupled with detailed network topology diagrams and  traffic restriction documentation, will provide you with the information needed to make well informed decisions regarding network segmentation in relation to PCI.

If an organization that must maintain PCI compliance acquires or merges with another organization, it may be beneficial for all parties to incorporate the development of network documentation into the M&A process.  By doing this, both parties can ensure that compliance polices are being maintained through a unified compliance framework.

Viviana Dragu, PCI QSA
Consultant, PCI Compliance Services