The cardholder data environment, or CDE, is the technical and organisational perimeter within which cardholder data is processed. Any system that stores, processes or transmits card data falls within the CDE and must comply with the full set of PCI DSS requirements. Understanding exactly what falls within this perimeter is the first step to understanding how much it costs to maintain and how to reduce it.
What enters the CDE: the PCI DSS perimeter map
By PCI DSS definition, the CDE includes all systems that store, process or transmit card data (PAN, expiry date, CVV, magnetic stripe data), as well as systems that have connectivity to those systems. This second point is the one that surprises most: a server that never touches card data but is networked to a server that does still falls within the perimeter.
Components that typically enter the CDE without IT teams realising:
- Log servers and SIEM systems if they collect logs from systems handling PANs
- Backup systems if they include snapshots of databases containing card data
- Administrator workstations with access to payment systems
- Monitoring and alerting systems connected to the payment infrastructure
- Development and staging servers if they use real card data for testing
How much it costs to maintain a compliant CDE
The cost of maintaining a compliant CDE is not just the cost of the annual penetration test or quarterly vulnerability scan. It includes the cost of personnel dedicated to access policy management, the cost of SIEM and logging tools, annual documentation review hours, QSA consulting costs for the SAQ or audit, and the cost of architectural changes required every time a new component is added to the infrastructure.
For an SME with a medium-sized CDE, these costs range between €20,000 and €60,000 per year. For a company with distributed infrastructure and multiple environments, costs can be multiples of this. The variable that has the greatest impact is not company size, but the breadth of the CDE: the more systems are in scope, the more compliance activities multiply.
How tokenization reduces the CDE to almost zero
The logic of CDE reduction with tokenization is direct: if no card data passes through your systems, none of your systems are in the CDE. The certified vault from PCI Proxy EU becomes the in-scope component instead of your servers. Your systems receive and manage only opaque tokens, which have no value to an attacker even in the event of a breach.
In practice, the post-tokenization architecture is as follows: checkout sends card data directly to the vault via a hosted form or client-side SDK; the vault returns a token to your backend; your backend uses the token for any subsequent operation. Your log servers, backup systems, and CRMs never see a PAN. The result is a CDE reduced to almost zero on the merchant side, with all the most burdensome security requirements shifting to the certified provider.
Frequently asked questions
Does a log server fall within the CDE?
It depends on what it collects and what it is connected to. If the log server collects logs from systems that handle PANs, or is networked to those systems, it falls within the CDE perimeter. If the log server is completely isolated from any payment system, it can be considered out-of-scope, but this exclusion must be documented and verifiable.
Does network segmentation eliminate the CDE?
Network segmentation does not eliminate the CDE: it delimits it. Systems that handle PANs remain in scope; segmentation prevents other systems from being drawn into the perimeter via connectivity. Tokenization is the only approach that reduces the CDE at source, eliminating the need to handle PANs in the merchant's systems.
With PCI Proxy EU is my database still in scope?
If your database never stores or receives PANs, it does not fall within the CDE. With PCI Proxy EU, your database receives only tokens: there is no technical reason to include it in the PCI DSS perimeter, provided it has no direct connectivity to systems handling PANs and this segregation is documented.
Want to map your CDE and understand how much you can reduce it with tokenization? Discover PCI Proxy EU.