A cardholder data environment (CDE) is a computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component that directly connects to or supports this network.
The Payment Card Industry Data Security Standard (PCI DSS) includes specific requirements for securing electronic payment and authentication data residing on all physical and virtual components in the CDE, including:
- Network components such as firewalls, switches, routers, access points, network appliances, security appliances.
- Point-of-sale (POS) systems, such as payment terminals, cash registers, card readers and other systems that intake payment card data from a customer at the time of a payment transaction.
- Servers including Web servers, application servers, database servers, authentication servers, mail servers, proxy servers, network time protocol servers and domain name servers.
- All applications, both internal and external.
- Any virtual component, including virtual machines, virtual switches, virtual routers, virtual appliances, virtual applications, virtual desktops and hypervisors.
- Third-party IT systems.
Most data breaches in the retail sector involve a compromise of the cardholder data environment. To that end, the PCI DSS requires a variety of controls to secure the CDE, including network segmentation. If the size and scope of the cardholder data environment is minimal and is adequately isolated using technology and rule sets, it will reduce the likelihood of a data breach.