I have been reviewing network and data flow diagrams for PCI compliance engagements for years. But it only recently dawned on me that I have never discussed the issues that keep recurring when I review organizations’ network and data flow diagrams as part of the PCI compliance efforts. To rectify that situation, here are some comments so that all of you can provide better diagrams to your QSAs.
Some organizations treat their network diagrams better than some governments treat their Ultra Top Secret documents. Even though all organizations require a non-disclosure agreement (NDA) to be in place before having a QSAC conduct their PCI assessment, we constantly run into networking and security personnel that keep detailed network diagrams secret from the QSA.
Unfortunately for these people, the PCI assessment process requires a level of detail that is not comfortable. In such situations I have received diagrams from network/security personnel that can only be described at levels higher than even high level diagrams. Such documentation is worthless to a QSA and only puts thoughts in the back of the QSA’s mind regarding what you are trying to hide.
QSAs need diagrams that show everything that is contained in the cardholder data environment (CDE) and all of the network connections to the CDE. A QSA needs this level of detail to reconcile your configuration standards, running configurations and other relevant documentation to the network diagram as part of the process to ensure that the CDE is properly defined and securely configured. The network diagrams are also used by the QSA to ensure that appropriate samples are taken for devices in-scope for the assessment if sampling is used.
At a minimum, the information that needs to be on network diagrams includes all virtual local area network (VLAN) numbers (if applicable), IP address ranges/blocks for relevant network segments and key firewalls, routers, switches and servers along with their DNS names and IP addresses. Anything less just makes the PCI assessment process all the more difficult for you and your QSA.
Data Flow Diagrams
Data flow diagrams typically end up in the Details About Reviewed Environment section at the front of the ROC. As a result, you need to make sure that they carry enough detail for readers of the ROC, but not enough detail to aid an attacker if they get a hold of the ROC. I will talk about the details that are required in these diagrams in the next section on ROC Diagrams.
The first thing that gets noticed with data flow diagrams is that they do not even come close to matching up to the network diagrams. This is typically because the data flow diagrams are prepared by the business owners of the card processing processes and these people typically have no idea how the data actually flows through the network. As a result, the QSA has no point of reference between the data flow and the network to evaluate whether the CDE is properly defined. As such, the first recommendation I make is for the business owners and the networking people sit down together and get their diagrams in synch. Not that the same detail that is in the network diagrams needs to be in the data flow diagrams, but key security points such as firewalls, servers, public networks and business partners should be noted in these diagrams.
The second thing that I notice in data flow diagrams is that there can be a lot of lines with arrows, sometimes even colored in red, green, yellow and other colors. But most of the time there is no description or legend that allows the reader to understand what the diagram is to represent. Worse yet, the lines and arrows are all over the place and difficult, if not impossible, to follow in a cacophony of color or monochrome. To add to this mess, sometimes we get this overlaid on top of the detailed network diagrams in an effort to address my first point. The net result is that it is all clear as mud!
And if you want to add insult to injury, you do get some commentary with the data flow diagrams in the addition of callouts or balloon comments. Unfortunately, these comments are near to impossible to understand what comments/balloons go with what line. Or if that comment/balloon is also a data flow line. Yuck!
What typically needs to be done is to create separate diagrams for how a transaction flows when a card is processed. This could result in multiple diagrams for “brick and mortar” retail locations, eCommerce, call center, returns and other order processing processes. Then a diagram that shows the data flow for settlement. Settlement may result in multiple diagrams as well. Then there may be other data flow diagrams that show other manual or paper-based processes related to CHD that also need to be documented.
In the Executive Summary and Details About Reviewed Environment sections of the front part of the ROC, the QSA is required to provide three diagrams.
- A “high level” network diagram.
- CDE external and internal network connectivity diagram.
- Card transaction data flow diagram.
The purpose of these diagrams is to give people such as those at your acquiring bank, the card brands, or heaven forbid, the forensic examiners in the event of a breach, an overview of your organization’s network and how cardholder data flows over that network so that they have some context.
The high level network diagram needs to include the following information.
- All connections into and out of the network, including demarcation points between the CDE and all other networks/zones.
- All critical components and key systems, as well as their locations and the boundaries between them. You do not have to document every switch crossed in the network, but you need to show the key components such as core switches or other networking devices that impact the security of the CDE. You also need to document some of the key servers such as Active Directory, SIEM, patch management, backup, operations management or other operational servers that might not be in the CDE but provide support to the CDE.
- All other necessary components or key systems, their locations and boundaries, as applicable. This would be devices such as consoles and monitoring stations as well as any user systems that have access to the CDE or to the operational support systems.
Note that there is no requirement to provide details such as DNS names, IP addresses or other identifying information that would be extremely useful for an attacker. There needs to be sufficient detail as to provide the reader with a reasonable understanding of the architecture of the network so that they can assess whether the ROC covers everything it should cover and that the CDE was properly defined.
The CDE external and internal network connectivity diagram needs to provide the following information.
- All boundaries of the cardholder data environment.
- Any network segmentation points which are used to reduce scope of the assessment.
- Boundaries between trusted and untrusted networks.
- Wireless and wired networks.
- All other connection points applicable to the assessment.
Again, there is not a lot of detail provided here, but enough information to give the reader the context of what is connected to what and how the CDE is structure for security.
Data flow diagrams need to provide the following.
- Identify all transmission and processing flows of cardholder data (CHD) including: authorization, capture, settlement, chargeback and any other CHD applicable data flows.
- For each transmission and processing flow: describe how cardholder data is transmitted and/or processed and identify the types of CHD involved (for example, full track, PAN, expiry date).
As I stated earlier, for all of these diagrams, you may need to create multiple diagrams to get your meaning across. So do not try to pack too much information into a single drawing only to have it unreadable in the ROC.
These ROC diagrams are typically a collaborative effort between the QSA and the appropriate personnel in the organization. In some cases, it can take quite a lot of work and creativity to get diagrams that are useful yet does not give away the store.
Hopefully you now understand what diagrams your QSA needs and the level of details required.