For businesses large and small, whether you’re a merchant that accepts payments or a service provider that aids in this process for merchants, PCI compliance is a critical way to protect your business. Not only does it significantly lower your risk for a costly data breach, but it saves you from the expensive consequences of noncompliance, like increased fees and fines from major financial institutions.
PCI compliance is complex, though, and one part that throws many businesses for a loop is the idea of securing their CDE. What does this mean and how can you go about it?
What is a CDE?
In terms of PCI DSS, CDE stands for cardholder data environment. This refers to any and all of your systems that are involved in storing, processing, or transferring cardholder data. If there is any connection or path from a part of your system to cardholder data, it’s part of your CDE.
To understand what parts of your system this includes, though, you also need to know what cardholder data the PCI DSS is referring to. In this case, it’s referencing the payment card’s card number or account number as well as the card’s expiration date and cardholder data service code as well as the cardholder’s name.
What are the PCI DSS requirements for a credit card CDE?
Securing your cardholder data environment is the key focus of PCI compliance. There are twelve general requirements for PCI compliance, all of which directly impact the security of your cardholder data.
1. Install and maintain a firewall configuration to protect cardholder data.
A firewall helps to block attempts to break into your system and access or steal cardholder data. You need to have an active firewall at all times that keeps your CDE safe.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
When you receive a new piece of equipment or software tool from a vendor, they usually give you a default password. PCI compliance requires that you change this password because vendors may give the same passwords to multiple businesses or use a predictable system to create these passwords. This makes them easy to break.
3. Protect stored cardholder data.
This requirement sounds general but the sub-requirements within it are far more specific. They refer to security techniques such as minimizing the amount of data you store and removing data promptly after use, masking card numbers wherever they are displayed, encrypting or using other methods to conceal cardholder data in storage, having access keys and protocols to protect these access keys, and more.
4. Encrypt transmission of cardholder data across open, public networks.
While these occasions should be kept to a minimum, if you have a need to transmit cardholder data across public networks, PCI compliance requires that you securely encrypt the data so it can’t be intercepted and used by others.
5. Use and regularly update anti-virus software or programs.
One way thieves can get cardholder data is by infecting your network or devices with a virus that accesses this data, so anti-virus software is required to block these attempts.
6. Develop and maintain secure systems and applications.
This requirement focuses on detecting and closing potential vulnerabilities in your system. It includes strategies like keeping up with security patches from all vendors, using secure development practices for internal and external applications, and so on.
7. Restrict access to cardholder data by business need-to-know.
The fewer people have access to your cardholder data, the fewer opportunities there are for someone unauthorized to gain access and misuse the data. This is why you must minimize the number of employees or contractors with access to your CDE environment for PCI compliance.
8. Assign a unique ID to each person with computer access.
The only way to know that the right people (and only the right people) are accessing your cardholder data is to track who is accessing the data at any point in time. For PCI compliance, you need to do this by giving everyone with computer access a specific ID code and only allowing access to select codes.
9. Restrict physical access to cardholder data.
In addition to protecting digital access to cardholder data, the PCI DSS requires that you restrict access to data physically by protecting any devices or locations where data is stored, like your CDE server.
10. Track and monitor all access to network resources and cardholder data.
Using the unique ID codes for each person with computer access, PCI compliance requires that you monitor who is accessing what cardholder data and when so you can better safeguard the data and so you have clear access records in case a data breach occurs.
11. Regularly test security systems and processes.
New vulnerabilities and problems can appear without your knowledge, so to be PCI compliant, you need protocols that frequently test your security systems and processes to ensure they’re working properly.
12. Maintain a policy that addresses information security for employees and contractors.
In addition to technical security systems, you need to have policies in place that outline the security practices for employees and contractors to follow.
How to secure your cardholder data environment
With all those security requirements, where do you even begin? Fortunately, starting to protect your CDE is simpler than you think.
Begin with the Vanta PCI compliance tool. This software scans your system looking for the requirements of the PCI DSS. It then gives you a detailed report of which requirements you already meet and which ones you still need to address.
A compliance tool will streamline your work toward CDE credit card data protection because you have an accurate understanding of where you stand from the start and it allows you to avoid wasting time on unnecessary processes.