What is the purpose of having a current diagram of cardholder data flows?

• A. To ensure the diagram reflects all cardholder data flows across systems and networks.
• B. To show only the location of servers.
• C. To document only encryption methods.
• D. To replace the need for firewall rules.

Answer: (A)

Keeping a current diagram of cardholder data flows provides the full map of where CHD travels, is stored, and is processed across the entire environment. This visibility is essential for accurately scoping PCI DSS, so you can ensure every flow across systems and networks is covered by appropriate controls—encryption, access controls, monitoring, and network segmentation. If the diagram isn’t current, changes like new systems or third-party connections can create undocumented CHD paths, leaving gaps in protection. The diagram isn’t just about where servers are or about encryption methods; it’s a planning tool that informs where controls apply and doesn’t replace firewall rules.