The Cardholder Data Environment (CDE) is the totality of network components, systems, and processes that store, process, or transmit payment card data or sensitive authentication data. It encompasses all systems directly connected to or in the same network as systems that handle cardholder data, as well as any systems that could impact the security of cardholder data.
Cardholder Data Environment (CDE)
Regulatory Definitions
- PCI-DSS v3.2.1 & v4.0 (Section 1.1): The CDE is defined as the network segment containing cardholder data components, and includes any connected system components. PCI-DSS requires that organizations identify all locations where cardholder data is stored, processed, or transmitted and establish boundaries for the CDE through network segmentation or other isolation controls (Requirement 1).
- PCI-DSS v4.0 (Section 1.4): Enhanced guidance clarifies that the CDE scope must include systems that have direct or indirect connectivity to systems handling cardholder data, with emphasis on logical and physical boundaries that must be documented and maintained.