Cardholder Data Flow Diagram Guidance

Shannon Idea generator Vanta Team Member Conversation starter

Cardholder data is sensitive information and must be protected according to the Payment Card Industry Data Security Standard (PCI DSS). A required part of compliance with this standard is creating a Cardholder Data Flow Diagram (CDFD). This diagram visually represents the flow of cardholder data within an organization and helps identify where and how sensitive data is stored, processed, and transmitted.

In my experience as a QSA, creating an accurate CDFD also is instrumental in helping to identify and refine the scope of a PCI assessment during initial implementation. The CDFD and the scoping exercise often go hand in hand; over time, the CDFD often becomes a key part of long-term PCI maintenance efforts. If it’s comprehensive and accurate, it saves everyone time and effort all over the place.

PCI scope is generally anything that stores, processes, or transmits cardholder data or that directly impacts the security of anything that stores, processes, or transmits cardholder data.
But what does that actually mean? And how do we start with figuring that out in an organized way?

Many of the terminology used by the DSS can be “leaky” and hard to interpret for non-experts, so to create your first CDFD, follow this process to ensure your diagram is as accurate, helpful, and comprehensive as possible. 


  1. Draw a map. This involves tracing the path of cardholder data from the moment it is entered into a system, through processing and storage, and finally, to its ultimate destination. 
    1. Think of drawing a map of where it goes at each level of abstraction. Human processes, Application layer, Infrastructure layer, Physical environment, etc.
    2. It can sometimes be helpful to use architecture or network diagrams for reference.
  2. Add in details. Use symbols to represent different components of the cardholder data environment, such as servers, databases, and networks. 
    1. For example, arrows can be used to show the flow of data from one component to another and dotted lines can indicate encrypted or unencrypted connections. Have some fun here. 
  3. Label people, processes and technology. This may include the name of the component/person/process, its location, the type of data that it handles there, and even its service name, IP address, or team name.
  4. Identify and Label Implemented Security Controls on those people, processes, and technology. This includes firewalls, encryption, and access controls that are in place to protect cardholder data. 
    1. When looking at this, reference the 12 primary requirements of the PCI-DSS to keep in mind the kind of things to be focusing on. 
  5. Review and validate. This is an opportunity to check that the diagram accurately represents the flow of cardholder data and that all relevant components and security controls are included.
    1. As this process happens, we often gain a better understanding and remember other things we may have missed in previous steps. 
  6. Update. As changes are made to the cardholder data environment, updating the CDFD to reflect these changes is important. This reduces work during pre-assessment activities and ensures that everyone operates on the same page over time. 


Creating a CDFD is a critical part of PCI compliance (specifically, requirement 1.1.3 in DSS 3.2.1), and is an effective tool for identifying areas of risk, defining scope, and implementing appropriate security controls to protect cardholder data long-term.

Happy diagramming!



Please sign in to leave a comment.