Compliance frameworks
How to secure your cardholder data environment and gain PCI DSS compliance

How to secure your cardholder data environment and gain PCI DSS compliance

For businesses large and small, whether you’re a merchant that accepts payments or a service provider that aids in this process for merchants, PCI compliance is a critical way to protect your business. Not only does it significantly lower your risk for a costly data breach, but it saves you from the expensive consequences of noncompliance, like increased fees and fines from major financial institutions.

PCI compliance is complex, though, and one part that throws many businesses for a loop is the idea of securing their CDE. What does this mean and how can you go about it?

What is a CDE?

In terms of PCI DSS, CDE stands for cardholder data environment. This refers to any and all of your systems that are involved in storing, processing, or transferring cardholder data. If there is any connection or path from a part of your system to cardholder data, it’s part of your CDE.

To understand what parts of your system this includes, though, you also need to know what cardholder data the PCI DSS is referring to. In this case, it’s referencing the payment card’s card number or account number as well as the card’s expiration date and cardholder data service code as well as the cardholder’s name.

What are the PCI DSS requirements for a credit card CDE?

Securing your cardholder data environment is the key focus of PCI compliance. There are twelve general requirements for PCI compliance, all of which directly impact the security of your cardholder data.

1. Install and maintain a firewall configuration to protect cardholder data.

A firewall helps to block attempts to break into your system and access or steal cardholder data. You need to have an active firewall at all times that keeps your CDE safe.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

When you receive a new piece of equipment or software tool from a vendor, they usually give you a default password. PCI compliance requires that you change this password because vendors may give the same passwords to multiple businesses or use a predictable system to create these passwords. This makes them easy to break.

3. Protect stored cardholder data.

This requirement sounds general but the sub-requirements within it are far more specific. They refer to security techniques such as minimizing the amount of data you store and removing data promptly after use, masking card numbers wherever they are displayed, encrypting or using other methods to conceal cardholder data in storage, having access keys and protocols to protect these access keys, and more.

4. Encrypt transmission of cardholder data across open, public networks.

While these occasions should be kept to a minimum, if you have a need to transmit cardholder data across public networks, PCI compliance requires that you securely encrypt the data so it can’t be intercepted and used by others.

5. Use and regularly update anti-virus software or programs.

One way thieves can get cardholder data is by infecting your network or devices with a virus that accesses this data, so anti-virus software is required to block these attempts.

6. Develop and maintain secure systems and applications.

This requirement focuses on detecting and closing potential vulnerabilities in your system. It includes strategies like keeping up with security patches from all vendors, using secure development practices for internal and external applications, and so on.

7. Restrict access to cardholder data by business need-to-know.

The fewer people have access to your cardholder data, the fewer opportunities there are for someone unauthorized to gain access and misuse the data. This is why you must minimize the number of employees or contractors with access to your CDE environment for PCI compliance.

8. Assign a unique ID to each person with computer access.

The only way to know that the right people (and only the right people) are accessing your cardholder data is to track who is accessing the data at any point in time. For PCI compliance, you need to do this by giving everyone with computer access a specific ID code and only allowing access to select codes.

9. Restrict physical access to cardholder data.

In addition to protecting digital access to cardholder data, the PCI DSS requires that you restrict access to data physically by protecting any devices or locations where data is stored, like your CDE server.

10. Track and monitor all access to network resources and cardholder data.

Using the unique ID codes for each person with computer access, PCI compliance requires that you monitor who is accessing what cardholder data and when so you can better safeguard the data and so you have clear access records in case a data breach occurs.

11. Regularly test security systems and processes.

New vulnerabilities and problems can appear without your knowledge, so to be PCI compliant, you need protocols that frequently test your security systems and processes to ensure they’re working properly.

12. Maintain a policy that addresses information security for employees and contractors.

In addition to technical security systems, you need to have policies in place that outline the security practices for employees and contractors to follow.

How to secure your cardholder data environment

With all those security requirements, where do you even begin? Fortunately, starting to protect your CDE is simpler than you think.

Begin with the Vanta PCI compliance tool. This software scans your system looking for the requirements of the PCI DSS. It then gives you a detailed report of which requirements you already meet and which ones you still need to address.

A compliance tool will streamline your work toward CDE credit card data protection because you have an accurate understanding of where you stand from the start and it allows you to avoid wasting time on unnecessary processes.

Getting PCI compliant

PCI Compliance for Small Business: What You Need to Know

Your PCI DSS Compliance Checklist

PCI Compliance in 3 Steps

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes