: PCI DSS Requirement 1.1.2 | Current Network Diagram with all Connections to Cardholder Data, including any wireless networks for Payment Card Industry Data Security Standards.

Network Diagram Drawings | PCI DSS Requirement 1.1.2

Regarding PCI DSS Requirement 1.1.2, this is on often overlooked area. Why? Because most internal I.T. staff quickly think their network diagram/topology documents are accurate and sufficient. This is hardly the case, as many times, these documents are old, not current, and not nearly in-depth enough for making an assessment of all critical and in-scope "system components" for purposes of PCI DSS compliance, especially PCI DSS Requirement 1.1.2. The term "system components" is defined as the following:

"Any network component, server, or application included in or connected to the cardholder data environment."

Remember, the more accurate, current, relevant, and detailed your network security diagrams/documents are, the more you will suffice for PCI DSS Requirement 1.1.2, and the easier it will be for a Qualified Security Assessor (QSA) to understand and scope the assessment.

Added to the fact is that when you start to embark on PCI DSS compliance and you begin to truly examine the 12 requirements in PCI DSS v.1.2, you will quickly find yourself referring back to these network diagram and topology documents for much needed reference on a number of particular items.

As a general rule, here is what you would want to include in your network diagram/topology documents:

  • Firewalls
  • Load Balancers
  • Routers and Switches
  • Demilitarized Zone (DMZ)
  • Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS)
  • Any enterprise wide applications (CRM systems, etc.)
  • Remote Access
  • Point to point secure data transmission methods used for data traversing back and forth on the network
  • Wireless Networking or Networks
  • Web Servers
  • Proxy Servers
  • Email Servers
  • DNS Servers
  • Operating Systems
  • Databases
  • Applications
  • Anti-virus

    • Obviously, this amount of information now makes these documents and drawings very sensitive, thus due care should be placed on protecting these items. Having network diagram/topology documents with this type of detail will greatly aid in the overall assessment, along with sufficing the all important PCI DSS Requirement 1.1.2. In short, think of your network in terms of layers, and how they are logically and physically laid out, and then start to map them with as much detail as possible. And also, don't forget to include dataflow information, that is, the types of data that is flowing and traversing your network along with the protocols used-this is often an area forgotten on network diagram/topology documents for PCI DSS Requirement 1.1.2.

    In short, include all system components from the network, Operating System (O/S), application, and database layers.

    To learn more about the Payment Card Industry Data Security Standards and becoming PCI DSS compliant, please contact NDB, Advisory.