PCI DSS 1.2.3: Maintain Accurate Network Diagrams
Network documentation is foundational to PCI DSS compliance—auditors expect precise, current diagrams showing every connection to your cardholder data environment. Control 1.2.3 requires you to map all links between the CDE and other networks, including wireless access points. Without accurate diagrams, you risk missing segmentation gaps, hidden data flows, and compliance violations.
What this means
This control mandates maintaining up-to-date network diagrams that clearly illustrate all connections between your cardholder data environment (CDE) and external networks, as well as internal wireless access points. The diagrams must be detailed enough for auditors and your own security team to understand data flow, identify potential vulnerabilities, and verify proper network segmentation. Any change to network architecture—new servers, firewall rules, wireless deployments—requires diagram updates.
How to comply
- 1.Create comprehensive network diagrams documenting all systems, servers, and devices within and connected to the CDE
- 2.Clearly label all connections between the CDE and other networks, including internet-facing systems and internal networks
- 3.Include wireless access points, their locations, and authentication methods in your diagrams
- 4.Document all data flows and communication protocols between network segments
- 5.Establish a change management process to update diagrams whenever network topology changes
- 6.Review and validate diagrams at least annually or immediately after significant infrastructure changes
- 7.Maintain diagrams in a controlled, accessible format that security and compliance teams can reference quickly
- 8.Store diagram versions and maintain audit trails of who approved each iteration
Evidence auditors look for
- Current network diagrams in visio, draw.io, or similar tools showing CDE boundaries and connections
- Wireless network inventory listing SSIDs, authentication types, and coverage areas
- Network change logs tied to corresponding diagram version updates
- Signed audit documentation confirming annual review and validation of network diagrams
- Data flow diagrams showing payment data movement between systems and external networks
- Segmentation documentation proving network isolation between CDE and non-compliant systems
- Network architecture documents maintained by IT with approval signatures and change dates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks network changes and alerts you when diagrams need updates, eliminating manual maintenance and ensuring audit-ready documentation stays current.
See how GRCWatch handles this control automatically
Start free trial