Defined Approach Requirements
1.2.4 An accurate data-flow diagram(s) is maintained that meets the following:
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
Customized Approach Objective
A representation of all transmissions of account data between system components and across network segments is maintained and available.
Applicability Notes
A data-flow diagram(s) or other technical or topological solution that identifies flows of account data across systems and networks can be used to meet this requirement.
Defined Approach Testing Procedures
1.2.4.a Examine data-flow diagram(s) and interview personnel to verify the diagram(s) show all account data flows in accordance with all elements specified in this requirement.
1.2.4.b Examine documentation and interview responsible personnel to verify that the data-flow diagram(s) is accurate and updated when there are changes to the environment.
Purpose of requirement and procedures
An up-to-date, readily available data-flow diagram helps an organization understand and keep track of the scope of its environment by showing how account data flows across networks and between individual systems and devices.
Maintaining an up-to-date data-flow diagram(s) prevents account data from being overlooked and unknowingly left unsecured.
Good practice
The data-flow diagram should include all connection points where account data is received into and sent out of the network, including connections to open, public networks, application processing flows, storage, transmissions between systems and networks, and file backups.
The data-flow diagram is meant to be in addition to the network diagram and should reconcile with and augment the network diagram. As a best practice, entities can consider including the following in their data-flow diagrams:
• All processing flows of account data, including authorization, capture, settlement,
chargeback, and refunds.
• All distinct acceptance channels, including card-present, card-not-present, and e- commerce. • The source of all account data received (for example, customers, third party, etc.), and any entities with which account data is shared.
• Date of last update, and names of people that made and approved the updates.
• All types of data receipt or transmission, including any involving hard copy/paper media.
• The flow of account data from the point where it enters the environment, to its final disposition.
• Where account data is transmitted and processed, where it is stored, and whether storage is short term or long term.
Definitions
[No detail is provided here in the PCI DSS 4.0]
Note: This sub-requirement requirement falls within the primary PCI DSS Requirement 1: Install and Maintain Network Security Controls and secondary requirement 1.2 Network security controls (NSCs) are configured and maintained..
What is the PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.
Source: https://www.imperva.com/learn/data-security/pci-dss-certification/
What is the PCI SSC
The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.
The four pillars of our strategic framework include:
- Increase industry participation and knowledge in the PCI Standards development process and stakeholder support for standards implementation. This ensures that standards and resources reflect and address industry needs and challenges.
- Evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. This ensures standards and resources that support and enable safe commerce and the flexibility to use different approaches to meet those standards.
- Secure emerging payment channels via development of PCI Standards and resources to support broader payment acceptance. This enables safe commerce in new and emerging card and card-based payment channels such as mobile and internet-of-things.
- Increase standards alignment and consistency of PCI Standards to minimize redundancy and support effective implementation.
PCI DSS certification
PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:
- Installation of firewalls
- Encryption of data transmissions
- Use of anti-virus software
Source: https://www.imperva.com/learn/data-security/pci-dss-certification/
You can learn more about the PCI DSS at https://www.pcisecuritystandards.org/