← Glossary·Data

CDE (Cardholder Data Environment)

PCI DSS

The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.

The Cardholder Data Environment (CDE) is the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data — plus any system connected to or able to impact the security of those components.

Why it matters
Scope creep into the CDE is the single biggest driver of PCI cost. Network segmentation and tokenisation are the standard scope-reduction levers.

Related terms

Cardholder Data (CHD)
PAN — alone or together with cardholder name, expiration, service code — defined by PCI DSS.
Tokenisation
Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).
PCI SAQ (Self-Assessment Questionnaire)
PCI DSS self-assessment for merchants meeting eligibility criteria; nine SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE).

Does your program actually cover CDE (Cardholder Data Environment)?

Run a free ComplianceIQ audit against PCI DSS and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free PCI DSS auditBack to glossary