What is a cardholder data environment?
Your CDE is everything that stores, processes or transmits card data — and it defines your PCI DSS scope. The smaller it is, the cheaper and easier compliance becomes. Here's what's inside it and how to shrink it.
What counts as part of your CDE
The CDE is the people, processes and technology that store, process or transmit cardholder data — plus any system connected to them. If it can touch a card number, it's in scope.
Web & checkout
Sites, apps and payment pages where cards are entered or transmitted.
Servers & apps
Application servers and services that receive, route or process card data.
Data stores
Databases, files, logs and backups that hold cardholder data, even temporarily.
Networks
Network segments the data crosses, and any systems that can reach them.
People & phone
Staff and call-centre flows that handle cards by phone or at a desk.
Connected systems
Anything connected to the above can be pulled into scope too.
A smaller CDE is the whole game
Every system in your CDE has to be secured, documented and audited. The most powerful way to cut PCI cost and risk is to make the CDE smaller. Tokenization does exactly that: cards are captured straight into an external PCI DSS Level 1 vault, so your own systems never hold card data and drop out of scope.
How tokenization worksCapture into the vault
Hosted fields send cards straight to the vault — never your servers.
Hold tokens, not cards
Your apps and databases store tokens, which are worthless if leaked.
Smaller assessment
With card data out of your systems, most merchants move to SAQ A.
Cardholder data environment, answered
01 What is a cardholder data environment (CDE)?
The cardholder data environment is the set of people, processes and technology that store, process or transmit cardholder data — plus any systems connected to them. It includes your web servers, applications, databases, networks and staff that touch card data, and it defines the scope of your PCI DSS assessment.
02 Why does the CDE matter for PCI DSS?
PCI DSS applies to everything in your CDE and anything connected to it. The bigger your CDE, the more systems you must secure, document and audit. Shrinking the CDE is the single most effective way to reduce PCI cost, risk and effort.
03 How does tokenization reduce the CDE?
Tokenization captures the card directly into an external PCI DSS Level 1 vault and returns a token. Because real card data never lands in your systems, those systems fall out of the CDE — for most merchants the environment shrinks dramatically and validation moves from SAQ D to SAQ A.
04 Can the CDE ever be reduced to zero?
You can't remove PCI obligations entirely, but you can get close to a minimal CDE. With hosted fields and tokenization, the only place card data exists is the vault, and your remaining scope is mostly about how you integrate securely — a very small footprint compared with storing cards yourself.
Shrink your cardholder data environment
Tell us how card data flows through your systems today and we'll map a setup that takes most of them out of scope.