What is a cardholder data environment?
CDE: Acronym for “cardholder data environment.” The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data.
What is the meaning of cardholder data?
Cardholder Data is a category of Sensitive Personal Data and includes a cardholder’s name, full account number, expiration date, and the three-digit or four-digit security number printed on the front or back of a payment card. Cardholder Data is Protected Data.
Is cardholder data personal data?
Where cardholder data includes any information that could be used to identify the individual, then it is personal data as defined by the GDPR.
What is a CDE environment?
The cardholder data environment (CDE) is comprised of. people, processes, and technologies that store, process, or transmit cardholder data or. sensitive authentication data.1. An organization’s CDE is only the starting point to determine the overall PCI DSS scope.
What makes up cardholder data?
Cardholder data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date or service code. A service code is a three- or four-digit number on cards that use a magnetic-stripe.
What is the simple rule to protect cardholder data?
Protect stored cardholder data. This rule states that any cardholder data stored on your network must be protected. That typically means perimeter defenses like the firewall mentioned above, along with encryption of cardholder data stored at rest on your network. 4.
Why is it important to protect cardholder data?
Providing customers with secure payment options is good for your brand and your bottom line. A data breach could result in fines from the payment card brands and remediation costs in the event of cardholder data loss – this is in addition to loss of business and your brand reputation.
What is not cardholder data?
Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands. Truncated cardholder data is not considered cardholder data. For more see the official PCI Compliance glossary.
What is not considered as cardholder data?
CHD includes the primary account number (PAN) alone or in combination with any of name, expiry date, and a piece of hidden data called a service code. Truncated cardholder data is not considered cardholder data.
What is considered sensitive cardholder data?
Sensitive Authentication Data: Security-related information including, but not limited to, card validation codes/values (e.g., three- digit or four-digit value printed on the front or back of a payment card, such as CVV2 and CVC2 data), full magnetic-stripe data, PINs, and PIN blocks) used to authenticate cardholders …
What is CDE data management?
Part of a strong data governance strategy is understanding what data is the most critical and needs special attention. This data is what’s termed “critical data elements” (CDE). CDE are essential to your company’s success and decision making capabilities – even if only to one department.
What is the best way to dispose of cardholder data?
When sensitive or credit card data is no longer required for legal, contractual, or business purposes, it must be destroyed. Paper containing cardholder data awaiting destruction should be stored in a secure container secured with a lock to prevent access to its contents.
What is the cardholder data Environment (CDE)?
Keeping the definition of cardholder data in mind, let’s move on to the cardholder data environment (CDE), which is the environment on which a PCI compliance assessment should be focused. In other words, the CDE is equivalent to the scope of the assessment.
What is a cardholder data?
Cardholder data is the data on any payment card (credit, debit, gift card, flexible spending, prepaid, and others) that has a Visa, MasterCard, Discover, American Express, or JCB logo on it.
What is the difference between cardholder data and sensitive authentication data?
Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code [found on the magnetic stripe]. Sensitive Authentication Data are additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.”
What is PCI DSS cardholder data?
The PCI Security Standards Council (PCI SSC), the body that administers the PCI DSS, is a bit more specific in their official definition, citing, “At a minimum, cardholder data consists of the full PAN.