For example, consider what happens in the case that you have an application that currently intersects your cardholder data environment (CDE) and where you???ve historically addressed PCI requirement 6.6 for that application by deploying a WAF. If you contract with a service provider that offers everything up to and including the application server stack, you may limit your ability to deploy a tech