Table of Contents
What data is considered PCI?
What is cardholder data?
What is Sensitive Authentication Data (SAD)?
What is the Cardholder Data Environment (CDE)?
How does cardholder data factor into PCI DSS Compliance?
What happens if I am not PCI compliant?
How can I make sure my CDE is compliant with PCI DSS?
Securing Your Own CDE: The DIY Approach
The Downsides of DIY PCI Compliance
Before we jump into how to protect your organization’s CDE and how to become PCI compliant with a fraction of the resources it takes to do it by yourself, let’s go over a few basics about CDE security and how it relates to PCI compliance.
When we refer to Payment Card Industry (PCI) data, we are talking about the information contained on and in payment cards. PCI data is divided into two categories:
- Cardholder Data
- Sensitive Authentication Data (SAD)
What’s the difference between cardholder data and SAD?
According to the PCI Security Standards Council (PCI SSC), cardholder data includes the Primary Account Number (PAN) of the credit or debit card, either by itself or alongside one of the following:
- the card’s expiration date
- the cardholder name
- the credit or debit card’s service code
While cardholder data includes the Primary Account Number (PAN), the cardholder name, service code and expiration date, Sensitive Authentication Data (SAD) is the information used to verify the account at the time of payment.
- Full magnetic stripe data
- CAV2 (Card Authentication Value)/CVC2(Card Validation Code 2, for MasterCard)/CVV2(Card Verification Value 2, for Visa)/CID (Card Identification Number, for American Express)
- PIN (Personal Identification Number)/PIN Block
When it comes to PCI data security, the DSS requirement 3 allows companies to store cardholder data, but they cannot store any SAD after authorization - even if it’s encrypted.
Your business’ cardholder data environment (CDE) is made up of all systems that store, handle or transmit cardholder data – including service providers, people and processes. If cardholder data from credit or debit cards can be found anywhere in your entire network, then that entire network segment is a part of your CDE.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements that was designed by the PCI SSC, which is made up of the major payment card brands - including Visa, Discover, American Express, JCB International and MasterCard.
The PCI SSC set up the security standards to help ensure that organizations properly protect their customers’ payment card data, which is why PCI DSS requires several security controls to protect your CDE. PCI requirement 4, for example, dictates that companies must employ “strong cryptography” to protect their PCI data security.
PCI DSS requirements apply to both merchants and service providers that handle PCI data, and you can find out more about what level of compliance your company needs in our in-depth PCI compliance blog post "What is PCI?".
If your business wants to process, store or transmit payment card data, then it must comply with the PCI DSS compliance requirements. To put it simply: if you don’t play by the rules of the card industry, then you can’t work with payment cards.
If you fail to meet each PCI requirement, there can be consequences.
First, PCI non-compliance fines start at $5,000 and can soar into the hundreds of thousands for cardholder data breach incidents - but that’s not the primary reason to comply with PCI DSS.
For companies of all sizes, a single data breach or any other negative cybersecurity event can mean the end of consumer trust in your organization.
Exposure of stored cardholder data can also easily mean the end of operations entirely.
Safely handling debit and credit card data is a crucial part of running a successful modern business, and achieving PCI DSS compliance is only a part of that.
It’s important to remember that PCI DSS rules aren’t the final destination for your company’s data security needs.
The PCI DSS framework doesn’t cover 100% of the methods organizations should employ to protect their customers’ payment card data, but it serves as a solid foundation for setting up what’s necessary to start protecting your cardholder data.
Most importantly, PCI DSS requires businesses to take specific steps to protect their cardholder data and CDE.
The size and scope of your CDE affects how much risk your business carries when it comes to experiencing a sensitive data breach. So, if your CDE is extensive, there will be many more assets within PCI DSS scope that you’ll need to secure.
The smaller the CDE, the less places where sensitive PCI data is stored, translating to less stress on your organization to meet PCI-DSS standards.
Many startups opt for securing, from the ground up, their own systems and processes that handle customer cardholder data. This is perhaps because, from the outside, it seems simple and straightforward, which couldn’t be further from the truth.
Defining, testing and making sure that your CDE remains fully compliant, however, is far from a clean and simple process – and distracts from focusing on your core business.
Data security and PCI DSS compliance simply require expertise. If your company needed to redo all the plumbing in the building, for example, you wouldn’t attempt to do it all yourself. You would hire a plumber who actually knows what they’re doing and how to do it effectively.
When it comes to protecting your CDE, the do-it-yourself (DIY) route certainly has its appeal.
From mapping out your own PCI data flow diagram to performing a Self-Assessment Questionnaire (SAQ), there are ways that businesses can try to tackle it themselves - which often requires a substantial amount of human capital and time spent.
Sure, DIY PCI compliance is possible, but there are a number of unexpected complications that can derail an unprepared organization and negatively impact its financials.
DIY PCI compliance is an expensive process.
Plus, the final cost after everything is said and done often surpasses the original budget.
You can read about the cost of PCI compliance in our PCI DSS budgeting blog post, which goes into more detail about the expenses of DIY compliance.
However, the cost is only the first hurdle to overcome.
You may feel confident that you’re in control, and you know what’s going on in your company’s network components, but a single change in one of your processes can hurt or require additional compliance and verification work to start again.
PCI DSS compliance is validation of your company’s security posture at a specific point in time, so any changes to your CDE can invalidate the compliance you previously achieved - requiring a revalidation with your updated, current systems and policies now in place.
Even when things go smoothly, DIY requires a significant amount of time, money and resources. Once you’ve successfully achieved PCI compliance, the job is far from done.
Small merchants and service providers, for example, can often find themselves passing the initial assessment - then falling out of PCI DSS compliance within a year.
Any hardware or software updates, upgrades, and expansions (all of which already use up time and resources) can require new audits for compliance and testing of your infrastructure (which takes up even more time, resources and focus away from your core business).
Managing your own CDE, setting up your own PCI DSS controls, and trying to maintain PCI compliance often ends up turning into a costly mess that uses up more resources than many businesses ever intended to dedicate toward data security in the first place.
Yes. It may sound too good to be true, but there is a way to comprehensively protect nearly every single asset within your CDE without having to concern yourself with achieving or maintaining PCI DSS compliance.
How is this possible?
By working with a trusted third-party data security partner, like VGS, you can leave your CDE PCI security concerns in an expert’s hands - and just focus on running your business like you should be doing.
Instead of second-guessing changes to your CDE because you might have to be audited again, or even not launching new product features in order to stay compliant, VGS handles your CDE security policy and compliance efforts for you.
Not only do we provide you with a secure CDE, our Zero Data approach keeps sensitive data off of your servers, descoping your systems from PCI requirements and simplifying compliance. With VGS safely storing your data, obtaining and maintaining compliance is an easy and streamlined process.
With VGS, both you and your users can benefit from the storage of any Primary Account Number (PAN), expiration date, or any other piece of PCI data - without any of the risk of having to store it yourself.
Our versatile and secure VGS Vault and CDE allow you to make updates and changes to your system without concern for maintaining PCI compliance.
Simply add new features and we will do our part to ensure that you continue to fulfill every PCI requirement so that you can focus on growing your business.
Want to reduce your PCI risk? Contact us here.