1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.

Defined Approach Requirements

1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.

Customized Approach Objective

A representation of the boundaries between the CDE, all trusted networks, and all untrusted networks, is maintained and available.

Applicability Notes

A current network diagram(s) or other technical or topological solution that identifies network connections and devices can be used to meet this requirement.

Defined Approach Testing Procedures

1.2.3.a Examine diagram(s) and network configurations to verify that an accurate network diagram(s) exists in accordance with all elements specified in this requirement.

1.2.3.b Examine documentation and interview responsible personnel to verify that the network diagram(s) is accurate and updated when there are changes to the environment.

Purpose

Maintaining an accurate and up-to-date network diagram(s) prevents network connections and devices from being overlooked and unknowingly left unsecured and vulnerable to compromise. A properly maintained network diagram(s) helps an organization verify its PCI DSS scope by identifying systems connecting to and from the CDE.

Good Practice

All connections to and from the CDE should be identified, including systems providing security, management, or maintenance services to CDE system components. Entities should consider including the following in their network diagrams:

• All locations, including retail locations, data centers, corporate locations, cloud providers, etc.
• Clear labeling of all network segments.
• All security controls providing segmentation, including unique identifiers for each control (for example, name of control, make, model, and version).
• All in-scope system components, including NSCs, web app firewalls, anti-malware solutions, change management solutions, IDS/IPS, log aggregation systems, payment terminals, payment applications, HSMs, etc.
• Clear labeling of any out-of-scope areas on the diagram via a shaded box or other mechanism.
• Date of last update, and names of people that made and approved the updates.
• A legend or key to explain the diagram.

Diagrams should be updated by authorized personnel to ensure diagrams continue to provide an accurate description of the network.