PCI DSS 1.2.4: Maintain Accurate Data-Flow Diagrams
Data-flow diagrams are your compliance blueprint—they prove you know where cardholder data lives, moves, and gets processed across your entire network. Without accurate documentation, you can't identify security gaps, manage risk effectively, or pass PCI DSS audits. This control requires you to maintain diagrams that capture every system and network path touching card data.
What this means
PCI DSS 1.2.4 mandates that your organization create and keep current data-flow diagrams showing how cardholder data moves through all systems and networks. These diagrams must be detailed enough to demonstrate data scope, identify sensitive flows, and show all connection points between systems, whether within your environment or at external integrations. The diagrams serve as both a compliance artifact and an operational tool for identifying where security controls need to be applied.
How to comply
- 1.Document all systems that store, process, or transmit cardholder data using a consistent diagramming standard
- 2.Map data flows across networks including internal connections, cloud services, third-party processors, and payment gateways
- 3.Identify entry and exit points where cardholder data enters or leaves your environment
- 4.Label each connection with data type, encryption status, and authentication requirements
- 5.Update diagrams whenever system architecture changes, new integrations are added, or cardholder data flows are modified
- 6.Maintain version history and change dates to demonstrate ongoing maintenance
- 7.Review and validate diagrams annually or after significant infrastructure changes
- 8.Make diagrams accessible to relevant teams (security, engineering, compliance) for reference and updates
Evidence auditors look for
- Current data-flow diagrams with dated versions showing evolution over time
- System inventory cross-referenced to diagram components
- Network topology diagrams highlighting cardholder data paths
- Documentation of data flows to payment processors and external service providers
- Change log showing when diagrams were updated and why
- Evidence of management review and approval of diagrams
- Diagrams used in security assessments and vulnerability testing
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and maps cardholder data flows across your systems, generating data-flow diagrams that stay synchronized with your infrastructure—eliminating manual diagram maintenance and the compliance risk of outdated documentation.
See how GRCWatch handles this control automatically
Start free trial