GRCWatch
Sign inStart free trial

PCI DSS 1.2.4: Maintain Accurate Data-Flow Diagrams

Data-flow diagrams are your compliance blueprint—they prove you know where cardholder data lives, moves, and gets processed across your entire network. Without accurate documentation, you can't identify security gaps, manage risk effectively, or pass PCI DSS audits. This control requires you to maintain diagrams that capture every system and network path touching card data.

What this means

PCI DSS 1.2.4 mandates that your organization create and keep current data-flow diagrams showing how cardholder data moves through all systems and networks. These diagrams must be detailed enough to demonstrate data scope, identify sensitive flows, and show all connection points between systems, whether within your environment or at external integrations. The diagrams serve as both a compliance artifact and an operational tool for identifying where security controls need to be applied.

How to comply

  1. 1.Document all systems that store, process, or transmit cardholder data using a consistent diagramming standard
  2. 2.Map data flows across networks including internal connections, cloud services, third-party processors, and payment gateways
  3. 3.Identify entry and exit points where cardholder data enters or leaves your environment
  4. 4.Label each connection with data type, encryption status, and authentication requirements
  5. 5.Update diagrams whenever system architecture changes, new integrations are added, or cardholder data flows are modified
  6. 6.Maintain version history and change dates to demonstrate ongoing maintenance
  7. 7.Review and validate diagrams annually or after significant infrastructure changes
  8. 8.Make diagrams accessible to relevant teams (security, engineering, compliance) for reference and updates

Evidence auditors look for

  • Current data-flow diagrams with dated versions showing evolution over time
  • System inventory cross-referenced to diagram components
  • Network topology diagrams highlighting cardholder data paths
  • Documentation of data flows to payment processors and external service providers
  • Change log showing when diagrams were updated and why
  • Evidence of management review and approval of diagrams
  • Diagrams used in security assessments and vulnerability testing

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers and maps cardholder data flows across your systems, generating data-flow diagrams that stay synchronized with your infrastructure—eliminating manual diagram maintenance and the compliance risk of outdated documentation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.1 - Define and Document Security PolicyPCI DSS 1.2.1 - Network Diagram DocumentationPCI DSS 1.2.3 - Configuration StandardsPCI DSS 4.1 - Strong Cryptography for Data in TransitPCI DSS 12.3 - Security Awareness Program