Inside and Outside the Cardholder Data Environment

Finding the common ground where compliance and security meet 

Businesses have spent an enormous amount of money on PCI compliance. It is time to leverage these existing investments and expand them to include payment security. Therefore, it’s important to find the common ground where PCI compliance and payment security can benefit one another. The quickest way for cyber security professionals to get thrown out of the board room is to say, “Remember that PCI thing? Well, scratch that, we need funding for a whole new security approach.” There is little tolerance in the business community to start over with PCI compliance to ensure payment security. 

The business climate for security will continue to change as digital transformation puts more and more pressure on payment security and PCI compliance. Business security stakeholders have been preached to for twenty years about these requirements. It’s time to transition what cyber security professionals have learned during these last two decades into something that can protect the next generation of payment transactions and reduce the risk of financial theft.   

One of the fundamental truths of how our industry has dealt with complying with the PCI standard is that we’ve tried to make it a non-event. We’ve done this by locking the payment environment into an enclave that gets “special” treatment in order to be PCI compliant. The PCI standard would refer to this as a network containing ‘cardholder data’, and we’ve grown accustomed to referring to our (often somewhat arbitrary) distinction of this network as the ‘CDE’ or ‘Cardholder Data Environment’, although in practice those of us in the industry have given this network what is a far more appropriate and dangerous term: ‘The PCI environment’. The PCI standard says, in its very first requirement, “Build and maintain a secure network.” Unfortunately, it has become standard practice to use this requirement (and others) to segment our security program activities into two distinct categories: Things we do ‘inside’ the CDE, and things we do ‘outside’ the CDE. In an effort to be compliant we’ve created an interesting paradox: We’re willing to spend the last dollar on the credit card environment while the breaches are most likely to come from somewhere else, if history is any indication. In this paradox lies precisely the reason the major retail breaches have all occurred against companies who had attested to the fact that they were PCI compliant and things ‘inside’ the CDE were secure. 

Merchants need to rethink the use of compliance budgets. They need to think about how to more effectively use that money on not only compliance but overall security to improve and simplify PCI compliance. These investments can be leveraged to secure the entire payment process, inside and outside the cardholder data environment. PCI Compliance is the output of an effective security strategy.   

In the white paper, Building a Secure Payment Lifecycle, Optiv expands upon the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, and it describes additional considerations that influence merchants’ ability to attain not only compliance but also solve top payment security challenges.