I just noticed that the Payment Card Industry - Data Security Standard (PCI DSS) Version 3 has a new requirement at 1.1.3. The old 1.1.3 in PCI DSS version 2 is now requirement 1.1.4 in PCI DSS version 3.
PCI DSS Requirement 1.1.3So what does new requirement 1.1.3 say?
"Current diagram that shows all cardholder data flows across systems and networks"The testing procedure for this requirement says
"Examine data-flow diagram and interview personnel to verify the diagram:
And finally the guidance says
- Shows all cardholder data flows across systems and networks.
- Is kept current and updated as needed upon changes to the environment.
"Cardholder data-flow diagrams identify the location of all cardholder data that is stored, processed, or transmitted within the network. Network and cardholder data-flow diagrams help an organization to understand and keep track of the scope of their environment, by showing how cardholder data flows across networks and between individual systems and devices."
The FundamentalsData Flow Diagrams (DFD) are a powerful tool in many situations. Whether in the role of PCI QSA or security architect where you are trying to work out the appropriate level of security requirements. This new PCI requirement recognizes this. While PCI really only cares about payment cards, DFDs can and should also be used wherever you are analyzing data which is important to your organization.
A DFD consists of three main sections:
- It shows the data flows - i.e. the networks etc. through which data passes.
- It shows data storage areas. This indicates where data is stored within the system
- Finally the DFD highlights trust boundaries. This is where data travels across boundaries which are not trusted. The interface to the internet is typically a trust boundary.
A DFD need not be complicated. At its simplest it consists of a series of boxes indicating the data storages on a whiteboard while lines showing where data flows.
When creating a DFD, make sure to ask a series of questions such as:
- Where are backups held?
- How are test systems and data handled. Remember, if live production data is used in a test system, the same level of security must apply as in the production system.
- Can users export data to desktops etc.?
When you have a good DFD, then you can start specifying the appropriate level of security controls that are required for each flow and storage within the DFD. For example, if sensitive data flows across the public internet then it should be encrypted using SSL. A DFD helps answer these types of questions.