OPEM-03

Can you provide overall system and/or application architecture diagrams including a full description of the data communications architecture for all components of the system?

Explanation

This question is asking whether you can provide comprehensive diagrams and descriptions of your system's architecture, particularly focusing on how data flows between different components. What it means: The assessor wants to see visual representations (diagrams) of your entire system or application architecture, along with detailed explanations of how data moves through your system. This includes servers, databases, network components, third-party integrations, and any other elements that make up your environment - with special emphasis on components that might process, store, or transmit payment card data. Why it's being asked: This information helps assessors understand: 1. The scope of your PCI DSS environment (what systems are in-scope for compliance) 2. Potential security vulnerabilities in your architecture 3. How data flows through your system, especially cardholder data 4. Whether appropriate security controls exist at critical junctures 5. If there are any undocumented or unexpected connections that could pose risks How to best answer it: 1. Provide current, accurate diagrams that show all system components 2. Include both high-level overviews and detailed component-specific diagrams 3. Clearly mark where cardholder data is stored, processed, or transmitted 4. Show all network connections, including those to third parties 5. Include security controls like firewalls, encryption points, etc. 6. Ensure diagrams are dated and versioned 7. Supplement diagrams with written descriptions explaining data flows 8. If diagrams contain sensitive information, note that they can be provided under NDA

Example Responses

Example Response 1

Yes, we can provide comprehensive system architecture diagrams for our payment processing application Our documentation includes: (1) A high-level network topology diagram showing all system components including our web servers, application servers, database servers, and connections to payment processors; (2) Detailed data flow diagrams showing how cardholder data moves through our system, with clear marking of encryption points and data storage locations; (3) Network segmentation diagrams showing our PCI DSS scope boundaries and security controls; (4) Written documentation explaining each component and the security measures implemented All diagrams are updated quarterly and include version control These documents can be provided upon request under NDA, as they contain sensitive security information.

Example Response 2

Yes, we maintain detailed architecture documentation for our SaaS platform This includes: (1) Cloud infrastructure diagrams showing our AWS environment with all relevant services (EC2, RDS, S3, etc.) and security groups; (2) Application architecture diagrams detailing our microservices architecture and how each service communicates; (3) Data flow diagrams specifically highlighting the path of payment card information, including tokenization points and which third-party services receive this data; (4) Network segmentation documentation showing how our cardholder data environment is isolated All diagrams use standardized notation (e.g., AWS architecture icons) and include annotations explaining security controls at each layer These documents are reviewed and updated monthly as part of our change management process and can be provided to your assessment team.

Example Response 3

We have some basic network diagrams that our IT team created when the system was initially set up three years ago However, these diagrams haven't been updated to reflect several recent changes to our infrastructure, including our migration to a hybrid cloud environment and the addition of several new payment processing integrations We also don't have specific data flow documentation that tracks how cardholder data moves through our systems Our team is currently working on creating updated documentation, but comprehensive and current architecture diagrams are not available at this time We expect to have updated documentation completed within the next 2-3 months as part of our security improvement initiatives.

Context

Tab
Case-Specific
Category
Payment Card Industry Data Security Standard (PCI DSS)

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron