Data Flow Narrative Document Template for PCI DSS v4.0 Assessment - Ideas

This template should be customized for each environment and assessment, ensuring all relevant details are captured and accurately reflect the data flow within the CDE. --- ## Data Flow Narrative Document Template for PCI DSS v4.0 Assessment ### Document Control - **Version:** [Enter Version] - **Date:** [Enter Date] - **Prepared by:** [Enter Preparer's Name] - **Reviewed by:** [Enter Reviewer's Name] - **Approved by:** [Enter Approver's Name] ### Introduction - **Purpose of Document:** Provide an overview of the purpose of this document and its use in the context of PCI DSS v4.0 assessment. ### Data Flow Description - **Overview of Data Flow:** Describe the high-level data flow across the cardholder data environment (CDE). Include details of Authorization, Capture, Settlement, Chargeback/Dispute, Refunds, and Other flows. ### Detailed Step-by-Step Narrative - **Step 1:** [Describe the first step of the data flow, including data elements and purpose] - **Step 2:** [Continue with subsequent steps, ensuring all account data flows are documented] - **Final Step:** [Conclude with the final step of the data flow] ### Cardholder Data Transmission - **Entity's Network Location:** [Hostname, URL, etc.] - **IP Address(es):** [List all IP Addresses involved] - **Cardholder Data Elements Transmitted:** [List PAN, expiry, etc.] - **Purpose of Transmission:** [Authorization, Capture, Settlement, etc.] - **Other Entity in Communication:** [Name or internal network location] - **Type of Other Entity:** [Processor, gateway, card brand, or N/A if within Entity] - **Transmission Over Open, Public Networks:** [Yes / No] - **Type of Encryption Used:** [HTTPS, SSH, etc.] ### Data Stores Inventory - **Hostname:** [Specify hostname where CHD is stored] - **IP Address(es):** [List IP Addresses] - **Cardholder Data Elements Stored:** [Specify data elements] - **Database/Table/Column Names OR File Path:** [Detail storage locations] - **DBMS OR File System Name:** [MSSQL, Oracle, Windows, RHEL, etc.] - **Data Protection:** [Truncated, Hashed, Encrypted] - **Encryption / Hashing Algorithm:** [Specify algorithm] - **Access Logging Method:** [Application-level, OS-level, etc.] - **Quarterly CHD Deletion Method:** [Manual, Programmatic] - **Data Encrypting Key Storage Location:** [Hostname/Filepath, DB Server/Table] - **Key Encrypting Key Storage Location:** [Hostname/Filepath, DB Server/Table] ### Web Applications in the CDE - **Web Application/Service Name:** [Enter Name] - **Domain/URL:** [Enter Domain/URL] - **Function / Purpose:** [Describe the application's purpose] - **Public Facing/Internal Only:** [Specify] - **Hostnames:** [List all associated hostnames] ### Diagram Attachments - **Data Flow Diagram Reference:** [Attach or reference the data flow diagram that accompanies this narrative] ### PCI DSS v4.0 References - [[1.2.4 requirement guidance|Requirement 1.2.4]] - [[1.4.4 requirement guidance|Requirement 1.4.4]] - [[12.5.2 requirement guidance|Requirement 12.5.2]] ### Review and Sign-off - **Assessor's Review:** [Assessor's comments and sign-off] - **Entity's Acknowledgement:** [Entity representative's acknowledgment and signature] ---