PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of card-processing networks. It follows the commonly used strategy of minimization: Store as. PCI-E PCI Express RJ-45 10/100/1000Mbps Gigabit Ethernet Lan Network Card PCIE Network Adapter for Desktop PC Standards: IEEE802.3, IEEE802.3u, IEEE802.3ab, IEEE802.3x Connectors: 1 x RJ45.
PCI DSS and the Network Diagram
PCI DSS and the Network Diagram
This post is designed to give a high level overview of what should be included in a network diagram and how to incorporate simple data flow indicators to help address the all important question of what is the scope of your PCI DSS assessment.
Network Documentation Overview Network documentation is extremely valuable to a PCI DSS assessor, so valuable in fact that is one of the first requirements listed in the Payment Card Industry Data Security Standard (PCI DSS). Requirement 1.1.2 in the PCI DSS requires the assessor to validate that a current network diagram with all connections to cardholder data, including any wireless networks, be available and also ensure that a process is in place to keep the diagram current. What I recommend to clients in addition to a network diagram is to highlight the card data flow on top of the network diagram. This is often not thought of because it is not called out as a specific requirement, however, documenting card data flows on top of the network diagram can serve to be invaluable. When combined, a network diagram and card data flow information can help a company come to a unified and clear understanding of where card data is stored, processed or transmitted within their environment as well as identify all supporting and connected systems and devices. So what does a network diagram do for you? A quality network diagram will illustrate 3 key points about your network:
- What devices exist on your network
- How are those devices connected
- Where are those devices physically located
Data flow indicators on your diagram will map out the following:
- Where does my data go
- Where the hand-offs are between encrypted data and unencrypted data
- Where data could possibly be stored
Now that we all agree we need network diagrams with a data flow illustration to document a PCI environment, the next logical question is to what level of detail do the diagrams need to be? Like many other subjective questions related to IT and security, the answer is it depends. Network Diagram Detail Levels When talking about data flow diagrams there are typically 4 levels of diagrams that are referenced; each increase in level indicates more detail:
- Level 0 (context level) – The highest level view of a system, show a system as a whole and its inputs and outputs from/to external factors.
- Level 1 – Illustrates primary processes, data stores and destinations that are linked.
- Level 2 – expansion of detail in level 1 diagram that shows how information moves from and to each of the devices and processes. Any decision routines in the data flow should be clearly called out.
- Level 3 - expansion of detail in level 2 diagram.
In my approach to constructing network diagrams I take a very similar view of the level of detail outlined in a data flow diagram. I start with a Level 0 (context) diagram and map out key locations and connection points. From there I can begin to expand the level of detail across connection points and at each site by identifying key systems, data stores, and show some segmentation if it exists on the network. Finally, if needed, I can expand the level of detail again to get to a level 2 or 3 diagram.
Once the network diagrams are in good shape, it is very easy to document the card data flow by either using color coded connection lines or eve drawing arrows along the path(s) the card data will travel.
Most of the time, a level 1 diagram will be sufficient to document the logical layout of a network environment and highlight the card data flow. It is important to note that you do not have to have a single all encompassing network diagram. For larger networks or as the level of detail increases it may be feasible to create multiple diagrams with links to each corresponding diagram.
Below are some simple examples of possible level 0, level 1 and level 2 diagrams for a merchant with a remote store location, a central processing center and branch offices.
Level 0 diagram – the diagram identifies key locations on the network and the arrows highlight the expected flow of card data.
In a PCI DSS assessment scenario, this level of diagram helps to identify the key locations that should be the focus of the assessment; however, it does not provide much insight into the number of devices or logical layout of the physical sites.
Wireless Pci Network Card
Level 1 Diagram – the diagram indicates primary connection points and devices in the data flow.
This diagram expands the level 0 diagram and highlights the key components at each physical location as well as a view into the logical layout within each physical location. Some companies will include additional detail like hostnames and IP addresses of network devices. While this is a good practice, this is not required for PCI.
Depending on the complexity of your network, this level of diagram may satisfy the assessor needs for requirement 1.1.2.
A Level 2 Diagram could be created for each physical site by expanding the level of detail to all network components and devices including the telecom room, demarcation points, wiring, workstations and POS terminals.
This diagram expands the level 1 diagram and highlights devices and the logical layout within the merchant store location. Some diagrams can be very creative and even be documented on top of a floor map.
Network Diagramming Tools
Once you have an idea of the level of detail you want your diagrams to have, what tool should you use to build the diagrams? Any software with drawing capability can be used to create a network diagram; I have seen some very good diagrams created using tools like Microsoft PowerPoint. However, working with a tool that is designed to produce diagrams is recommended. These tools will include things like component symbols, the ability to embed object properties into a graphic, diagram linking and transitions. Some examples of tools that provide this functionality and more are Microsoft Visio, SmartDraw, and Network Notepad. There are many others, including free tools that will get the job done. Use the tools that fit your needs and budget.
If your company doesn't already have these types of diagrams available, you will be required to have one for a PCI DSS assessment and, once you have a quality diagram available for use and illustration I am willing to bet you will continue to document other key processes in the same manner. Now get to diagramming!
How Can We Help?
PCI Network & Wireless Cards Drivers
Let us know what you need, and we will have an Optiv professional contact you shortly.
A PCI network card is a type of computer hardware that can be installed within a computer’s case, directly onto the motherboard of the computer. This type of card is installed into a peripheral component interconnect (PCI) slot on a computer’s motherboard. The network card will then allow the computer to connect directly to some type of network, either a wired network through an Ethernet or similar cable or a wireless network, depending on the card. A PCI network card is often used for desktop computers, rather than laptops, since internal installations are easier on a desktop.
Installing a PCI network card into a desktop computer is a fairly simple process and allows the computer to reliably connect to a network afterward. Many modern motherboards include a port for wired network connectivity, usually through an Ethernet cable, though some do not have such ports. In this type of instance, or where connectivity to a wireless network is preferable, then the network card may need to be installed inside the computer. This is done by simply opening the computer case, while the computer is shut down, and inserting the network card directly into a PCI slot on the motherboard.
Once a PCI network card is properly installed, device drivers and other software may needed. The functionality of this type of card usually depends on what type of card is chosen and installed. In general, this will either be a wired card that connects to a network through a physical cable or a wireless network card that receives a signal to connect to a wireless network. Either type of network card will have the same type of interface area that is installed into the motherboard, but the backplate that is exposed out of the back of the computer is typically different.
Pci Network Vulnerability Scan
A wired PCI network card will have a port in which an Ethernet cable can be connected to the card, while a wireless card will often have a small antenna on the back of the card. This antenna can directly extend from the card itself or may be connected to the card by a length of wire, allowing the antenna to be placed in a position best suited for receiving a wireless signal. A PCI network card will often have a small light on the back of it as well, which is powered through the motherboard and indicates that it is functioning properly.