Accurate Network Diagram

PCI DSS Requirement 1.2.3 mandates accurate network diagrams because you can't secure what you can't see. Your network diagram serves as the foundational document for CDE scoping, security architecture decisions, and incident response. Without accurate diagrams, organizations routinely miss critical attack vectors, fail segmentation validation, and struggle during breach investigations.

The requirement applies to every organization handling payment card data — merchants, service providers, and payment processors. Your diagram must capture the complete topology: physical and logical connections, security controls, network boundaries, and crucially, every path that could potentially reach cardholder data. This includes connections you might overlook: guest wireless networks, HVAC systems with network connectivity, third-party managed devices, and development environments that occasionally sync production data.

QSAs report that inadequate network diagrams rank among the top five assessment failures. The consequences extend beyond compliance: incomplete diagrams have contributed to extended breach windows where attackers maintained access for months through undocumented connections.

Regulatory text

PCI DSS v4.0.1 Requirement 1.2.3 states: "An accurate network diagram(s) is maintained that shows all connections between the cardholder data environment (CDE) and other networks, including any wireless networks."

The testing procedure requires assessors to examine current network diagrams and verify through observation and configuration review that all connections are documented. Your diagram must reflect the actual deployed architecture, not the intended design. This includes temporary connections, disaster recovery links, and maintenance access points that might only activate periodically.

What You Actually Need to Do

Start by identifying every system that stores, processes, or transmits cardholder data. Then trace every possible network path to these systems. Your diagram must include:

Required Elements:

1. All CDE systems with IP addresses and network locations
2. Network segmentation boundaries and enforcement points
3. Firewalls, routers, and switches with management interfaces
4. Wireless access points and controllers
5. Connection points to third-party networks
6. Remote access entry points
7. Data flow directions between network segments
8. Security controls at each boundary

Document both physical and logical views. Physical diagrams show device locations, cabling, and rack positions. Logical diagrams display VLANs, routing domains, firewall zones, and traffic flows. Many organizations need multiple diagrams to capture different abstraction levels.

Common Implementation Mistakes

Wireless Network Omissions: Organizations frequently exclude wireless networks that "don't connect to the CDE." Document all wireless infrastructure — even guest networks share physical proximity and potential vulnerability paths. Show wireless controller locations, access point coverage areas, and authentication servers.

Static Documentation: Networks change constantly. Manual diagram updates lag behind actual modifications. Implement change control procedures that trigger diagram updates before network changes go live. Consider automated discovery tools that alert on topology changes.

Missing Management Networks: Out-of-band management networks, IPMI interfaces, and console servers often escape documentation. Attackers specifically target these paths. Include every administrative access method.

Oversimplification: High-level diagrams that show "the Internet" as a cloud miss critical details. Document specific ISP connections, DMZ architectures, and external service touchpoints. QSAs need to trace exact packet paths.

Evidence and Artifacts to Retain

Maintain versioned diagrams with change history dating back at least one year. Each version should include:

• Approval signatures from network and security teams
• Change description and business justification
• Validation testing results confirming accuracy
• Cross-references to firewall rule changes

Keep supplementary documentation:

• IP address allocation spreadsheets
• VLAN assignments and descriptions
• Firewall rule matrices mapped to diagram zones
• Wireless network survey results
• Physical cable plant documentation

Audit Questions and Examination Methods

QSAs typically start by requesting your current network diagram, then validate through:

Configuration Review: Comparing firewall rules, routing tables, and VLAN configurations against diagram claims. Discrepancies trigger expanded testing scope.

Traffic Analysis: Running packet captures to verify data flows match documented paths. Unexpected traffic patterns indicate diagram gaps.

Physical Verification: Walking data center floors to confirm device locations and connections. Undocumented cables or devices fail the requirement.

Common QSA challenges:

• "Show me how this third-party connection is secured"
• "Trace the path from this workstation to the payment database"
• "Where are the wireless controllers in relation to the CDE?"
• "How do you validate diagram accuracy after changes?"

Risk and Enforcement Context

While PCI DSS doesn't publish individual violation penalties, payment brands can impose fines ranging from a material amount to a material amount monthly for non-compliance. Inaccurate network diagrams compound other violations — if segmentation fails due to undocumented connections, you face both network security and scoping violations.

More critically, network diagrams directly impact breach response. Incident responders rely on accurate diagrams to contain attacks and preserve evidence. Missing connections mean missed compromise indicators, extended attacker dwell time, and expanded breach scope.

30/60/90-Day Implementation Plan

Immediate (Days 1-30):

• Inventory all systems touching cardholder data
• Identify current diagram owners and sources
• Collect existing network documentation
• Schedule sessions with network, security, and application teams
• Begin discovering undocumented connections

Near-term (Days 31-60):

• Create baseline physical and logical diagrams
• Validate through configuration reviews
• Document wireless infrastructure completely
• Map data flows between network zones
• Establish change control integration

Ongoing (Days 61-90):

• Conduct traffic analysis to verify accuracy
• Implement automated topology monitoring
• Train staff on update procedures
• Schedule quarterly accuracy reviews
• Document validation methodology

Practical Tips for Success

Use Proper Tools: Microsoft Visio remains the de facto standard, but consider specialized tools like Lucidchart or Draw.io that support collaboration and version control. Network monitoring platforms often include topology mapping features that provide starting points.

Layer Your Documentation: Create multiple diagram views for different audiences. Executive diagrams show security zones and trust boundaries. Engineering diagrams include IP addresses, VLANs, and port assignments. Incident response diagrams highlight logging points and forensic tap locations.

Automate Discovery: Deploy network discovery tools that continuously scan for topology changes. Compare automated discoveries against official diagrams monthly. Investigate every discrepancy — unauthorized changes often indicate security incidents.

Include Cloud Connections: Modern CDEs extend into cloud environments. Document API endpoints, cloud storage connections, and SaaS integrations. Show how on-premise networks connect to cloud providers and what security controls exist at each boundary.

Frequently Asked Questions

How detailed must IP addressing be on network diagrams?

Include specific IP addresses for all CDE systems, security devices, and boundary points. You may use subnet notation for large non-CDE segments, but any path to cardholder data needs explicit addressing.

Do we need separate diagrams for each location?

Yes, if locations have independent network infrastructure. However, include a high-level diagram showing inter-location connectivity and how distributed sites connect to centralized CDE systems.

How often must we update network diagrams?

Update within 24-a defined hours of any network change affecting CDE connectivity. Validate complete accuracy quarterly at minimum. Many organizations integrate updates into their change control process.

What if we use dynamic cloud environments that constantly change?

Document the logical architecture and security group rules that remain constant. Use automation to capture point-in-time infrastructure state. Focus on showing how dynamic resources connect to persistent CDE systems.

Can we exclude test networks from diagrams?

No, if test networks ever contain real cardholder data or connect to production systems. Document all environments that could potentially impact the CDE, even if logically separated.

Should diagrams include specific firewall rule numbers?

The diagram itself should show security zones and permitted traffic flows. Maintain a separate firewall rule matrix that maps specific rules to diagram connection points for QSA review.