1.2.4 An accurate data-flow diagram(s) is maintained that meets the following, including:Shows all account data flows across systems and networks.Updated as needed upon changes to the environment.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:

Shows all account data flows across systems and networks.
Updated as needed upon changes to the environment.

Customized Approach Objective

A representation of all transmissions of account data between system components and across network segments is maintained and available.

Applicability Notes

A data-flow diagram(s) or other technical or topological solution that identifies flows of account data across systems and networks can be used to meet this requirement.

Defined Approach Testing Procedures

1.2.4.a Examine data-flow diagram(s) and interview personnel to verify the diagram(s) show all account data flows in accordance with all elements specified in this requirement.

1.2.4.b Examine documentation and interview responsible personnel to verify that the data-flow diagram(s) is accurate and updated when there are changes to the environment.

Purpose

An up-to-date, readily available data-flow diagram helps an organization understand and keep track of the scope of its environment by showing how account data flows across networks and between individual systems and devices.

Maintaining an up-to-date data-flow diagram(s) prevents account data from being overlooked and unknowingly left unsecured.

Good Practice

The data-flow diagram should include all connection points where account data is received into and sent out of the network, including connections to open, public networks, application processing flows, storage, transmissions between systems and networks, and file backups.

The data-flow diagram is meant to be in addition to the network diagram and should reconcile with and augment the network diagram. As a best practice, entities can consider including the following in their data-flow diagrams:

All processing flows of account data, including authorization, capture, settlement, chargeback, and refunds.
All distinct acceptance channels, including card-present, card-not-present, and e-commerce.
All types of data receipt or transmission, including any involving hard copy/paper media.
The flow of account data from the point where it enters the environment, to its final disposition.
Where account data is transmitted and processed, where it is stored, and whether storage is short term or long term.
The source of all account data received (for example, customers, third party, etc.), and any entities with which account data is shared.
Date of last update, and names of people that made and approved the updates

purpose

Track all account data flows to ensure proper protection.

whats required for compliance

Diagrams showing all account data flows, updated after changes.
Must reconcile with network diagrams.

compliance strategies

Data flow mapping
Integration with network diagrams
Change-driven updates

typical policies procedures

Data Flow Procedure
PAN Storage Justification

common pitfalls failures

Unauthorized data flows
Missing encryption points

type

Documentation Control

difficulty

Moderate

key risks

Unprotected data transmission

product vendor recommendations

Deploy data lineage tools (Collibra)

Eligible SAQ

SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.