AWS Glossary
PCI DSS Cardholder Data Environment
Defined network scope in PCI DSS compliance that directly handles credit card payment data.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
Defined network scope in PCI DSS compliance that directly handles credit card payment data.
Key Facts
- • In PCI DSS compliance, the CDE is the defined scope that must meet all 12 PCI DSS requirements
Entity Definitions
- RDS
- RDS is an AWS service relevant to pci dss cardholder data environment.
- VPC
- VPC is an AWS service relevant to pci dss cardholder data environment.
- WAF
- WAF is an AWS service relevant to pci dss cardholder data environment.
- AWS WAF
- AWS WAF is an AWS service relevant to pci dss cardholder data environment.
- compliance
- compliance is a cloud computing concept relevant to pci dss cardholder data environment.
- PCI DSS
- PCI DSS is a cloud computing concept relevant to pci dss cardholder data environment.
Related Content
- CLOUD COMPLIANCE SERVICES — Related service
- AWS CLOUD SECURITY — Related service
Definition
The Cardholder Data Environment (CDE) is the portion of a network that stores, processes, or transmits cardholder data. In PCI DSS compliance, the CDE is the defined scope that must meet all 12 PCI DSS requirements. Systems outside the CDE have reduced security requirements.
What’s In the CDE?
Systems that store/process/transmit cardholder data:
- Payment gateway (processes credit card transactions)
- Database containing card data
- Point-of-sale (POS) systems
- Payment processing APIs
Cardholder data includes:
- Full Primary Account Number (PAN) — card number
- Service code and expiration date
- Cardholder name
- Cardholder address (sometimes)
What’s Outside the CDE?
Systems that don’t touch cardholder data:
- User account systems (email, password, profile)
- Product catalog and inventory
- Shipping and logistics
- Support and billing (if not storing card data)
- Analytics systems (if using non-card identifiers)
Strategy: Route payments externally
- Use third-party payment processor (Stripe, Square, PayPal)
- Send cards directly to processor via tokenization
- Your system never touches raw card data
- Drastically reduces PCI DSS scope
PCI DSS Scope Reduction Strategy
Highest Compliance Effort (Full Scope)
- Your systems process cards directly
- Full 12 PCI DSS requirements
- Annual audit required
- Estimated cost: $50K-100K+
Better Approach (Tokenization)
- Send card data directly to payment processor
- Your system uses tokens (opaque identifiers)
- Reduced scope to systems using tokens
- Estimated cost: $20K-40K
Simplest Approach (Hosted Payment Page)
- Redirect customer to processor’s payment page
- Your system never sees card data
- Minimal PCI scope
- Estimated cost: $5K-15K
AWS-Specific Considerations
CDE Network Architecture
- Isolate CDE in private VPC with strict security groups
- Database encryption (RDS KMS encryption)
- VPN or direct connection for access
- No direct internet access to CDE
- All access logged (CloudTrail, VPC Flow Logs)
Common Mistakes
- Building CDE when payment processor can reduce scope
- Storing full card data instead of tokens
- Insufficient network segmentation
- Lack of encryption for data in transit and at rest
Related AWS Services
- VPC for network isolation
- AWS KMS for encryption key management
- RDS with encryption at rest
- TLS/SSL for encryption in transit
- CloudTrail for audit logging
- AWS WAF for web application firewall
Related FactualMinds Content
Related Services
Need Help with This Topic?
Our AWS experts can help you implement and optimize these concepts for your organization.