PCI Black Box Pattern¶
This page describes the standard rack-level pattern used by Infini-Connect for PCI environments.
Internal View – Detailed Zones & Components¶
{: .doc-audience-internal}
```mermaid graph TD title INTERNAL – PCI Black Box Rack Zones & Components %% audience: internal
EXT[External Networks
(Internet / Partner / WAN)]
subgraph RACK["PCI Black Box Rack"]
subgraph EDGE["Edge Layer"]
FW[HA Firewalls
(Perimeter + Segmentation)]
DFW[Internal Segmentation Rules]
end
subgraph DMZ["DMZ / Presentation Layer"]
RP[Reverse Proxies / WAF]
VPN[VPN Gateways / WG Entry]
end
subgraph CDE["CDE – Cardholder Data Environment"]
APP[Payment Apps / Switches]
DB[Databases]
HSM[HSM / Crypto Services]
end
subgraph OOB["OOB & Management"]
MGMT[Mgmt Network Switch]
OOB_SRV[OOB Mgmt Servers / IPMI]
end
subgraph JBX["Jumpbox & Admin Access"]
JB_SIT[SIT Jumpbox]
JB_UAT[UAT Jumpbox]
JB_PROD[PROD Jumpbox]
AD[AD / LDAP (secure.local)]
end
subgraph SEC["Security & Observability"]
SIEMC[Log Collectors / SIEM Agents]
SCAN[Local Scan Runners<br/>(Containers)]
MON[Monitoring / Metrics]
end
end
EXT --> FW FW --> DMZ FW --> CDE FW --> OOB
DMZ --> RP DMZ --> VPN
CDE --> APP APP --> DB APP --> HSM
OOB --> MGMT OOB --> OOB_SRV
JBX --> JB_SIT JBX --> JB_UAT JBX --> JB_PROD JBX --> AD
SEC --> SIEMC SEC --> SCAN SEC --> MON
JB_PROD --> CDE JB_UAT --> CDE JB_SIT --> CDE
SCAN --> CDE SCAN --> DMZ
Customer View – Simplified PCI Black Box Concept¶
{: .doc-audience-customer}
```mermaid graph TD title Customer View – PCI Black Box Concept %% audience: customer
EXT[External Networks] --> EDGE[Secure Edge (Firewalls + VPN)] EDGE --> DMZ[DMZ / Web & API Frontends] EDGE --> CDE[PCI Core Systems] EDGE --> ADMIN[Admin & Management]
CDE --> PAY[Payment Apps & Databases] CDE --> CRYPTO[Crypto / HSM]
ADMIN --> JBX[Jumpboxes (SIT/UAT/PROD)] ADMIN --> MGMT[Management & Monitoring]
MGMT --> LOGS[Central Logging / SIEM] MGMT --> SCANS[Security Scans & Tests]
Auditor View – PCI Controls & Evidence Flows¶
{: .doc-audience-auditor}
This view is intended for QSAs and internal audit, focusing on:
- Where the CDE boundary is
- Which controls live where
- Where evidence is generated and collected
```mermaid graph LR title Auditor View – PCI Controls & Evidence Flows %% audience: auditor
EXT[External Networks]
subgraph EDGE["Secure Edge
(Req 1 – Firewalls & Segmentation)"]
FW[Perimeter & Internal Firewalls]
VPN[VPN / WG Entry Points]
end
subgraph RACK["PCI Black Box Rack"]
subgraph DMZ["DMZ / Presentation"]
WAF[WAF / Reverse Proxies
(Req 6.4, 6.6)]
end
subgraph CDE["CDE – Cardholder Data Environment<br/>(Scope Boundary)"]
APP[Payment Apps / Switches<br/>(Req 2, 6)]
DB[Databases<br/>(Req 3)]
HSM[HSM / Crypto Services<br/>(Req 3, Dual Control)]
end
subgraph ADMIN["Admin & Jumpbox Layer"]
JBX[Jumpboxes (SIT/UAT/PROD)<br/>(Req 7, 8)]
AD[AD / LDAP (Admin Accounts)<br/>(Req 7, 8)]
end
subgraph SEC["Security & Monitoring"]
LOG[Log Collectors / Agents<br/>(Req 10)]
SCAN[Vuln & Pentest Runners<br/>(Req 11)]
CFG[Config Baselines & Drift<br/>(Req 2)]
CHG[Change & Access Records<br/>(Req 6, 7, 12)]
end
end
subgraph EVIDENCE["Central Evidence Systems"]
SIEM[SIEM / Log Platform
(Req 10)]
RPT[Infini-Connect Evidence Packs
(Reports, Diagrams)]
end
EXT --> FW FW --> VPN FW --> DMZ FW --> CDE FW --> ADMIN
DMZ --> WAF WAF --> APP
CDE --> APP APP --> DB APP --> HSM
ADMIN --> JBX ADMIN --> AD
CDE --> LOG DMZ --> LOG ADMIN --> LOG
SCAN --> DMZ SCAN --> CDE
CFG --> CDE CFG --> ADMIN CHG --> ADMIN CHG --> JBX
LOG --> SIEM SCAN --> SIEM CFG --> RPT CHG --> RPT SIEM --> RPT