Posted by: Charles Denyer
payment card industry, payment card industry data security standards, PCI, pci assessment, pci compliance, PCI DSS, pci dss qsa, pci dss requirement 1.1.2, policies and procedures, qsa, regulatory compliance, SAS 70, sas 70 audit report
Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”
Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.
And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.