Skip to main content

Inside and Outside the Cardholder Data Environment

October 04, 2018

Finding the common ground where compliance and security meet 

Businesses have spent an enormous amount of money on PCI compliance. It is time to leverage these existing investments and expand them to include payment security. Therefore, it’s important to find the common ground where PCI compliance and payment security can benefit one another. The quickest way for cyber security professionals to get thrown out of the board room is to say, “Remember that PCI thing? Well, scratch that, we need funding for a whole new security approach.” There is little tolerance in the business community to start over with PCI compliance to ensure payment security.   

The business climate for security will continue to change as digital transformation puts more and more pressure on payment security and PCI compliance. Business security stakeholders have been preached to for twenty years about these requirements. It’s time to transition what cyber security professionals have learned during these last two decades into something that can protect the next generation of payment transactions and reduce the risk of financial theft.   

One of the fundamental truths of how our industry has dealt with complying with the PCI standard is that we’ve tried to make it a non-event. We’ve done this by locking the payment environment into an enclave that gets “special” treatment in order to be PCI compliant. The PCI standard would refer to this as a network containing ‘cardholder data’, and we’ve grown accustomed to referring to our (often somewhat arbitrary) distinction of this network as the ‘CDE’ or ‘Cardholder Data Environment’, although in practice those of us in the industry have given this network what is a far more appropriate and dangerous term: ‘The PCI environment’. The PCI standard says, in its very first requirement, “Build and maintain a secure network.” Unfortunately, it has become standard practice to use this requirement (and others) to segment our security program activities into two distinct categories: Things we do ‘inside’ the CDE, and things we do ‘outside’ the CDE. In an effort to be compliant we’ve created an interesting paradox: We’re willing to spend the last dollar on the credit card environment while the breaches are most likely to come from somewhere else, if history is any indication. In this paradox lies precisely the reason the major retail breaches have all occurred against companies who had attested to the fact that they were PCI compliant and things ‘inside’ the CDE were secure. 

Merchants need to rethink the use of compliance budgets. They need to think about how to more effectively use that money on not only compliance but overall security to improve and simplify PCI compliance. These investments can be leveraged to secure the entire payment process, inside and outside the cardholder data environment. PCI Compliance is the output of an effective security strategy.   

In the white paper, Building a Secure Payment Lifecycle, Optiv expands upon the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, and it describes additional considerations that influence merchants’ ability to attain not only compliance but also solve top payment security challenges.

    J.R. Cunningham

By: J.R. Cunningham

VP, Product Management

See More

Related Blogs

September 26, 2018

Data is the New Currency

In today’s digital world, data is currency. Nowhere does this phenomenon show itself more clearly than in the world of payment transactions. Payment f...

See Details

March 07, 2018

PCI Compliance Every Day – Requirement 4

In this latest post of my Payment Card Industry Data Security Standard (PCI DSS) compliance blog series, we will explore Requirement 4 of the standard...

See Details

May 10, 2017

PCI Compliance Every Day

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the relea...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.