E-commerce is a huge commercial realm, with some 2.14 billion digital buyers worldwide by the end of 2021.

At the heart of e-commerce is the ability to keep payment card data secure during online transactions, and at the heart of payment card security is Payment Card Industry (PCI) compliance.

Technically, PCI compliance is not required by law, but it has been considered mandatory in court rulings, and credit card companies require it for merchants to process online transactions. So compliance is essential for any company that wishes to take advantage of e-commerce, which is just about every company.

Compliance begins by determining the scope of keeping your organization should achieve with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS scope combines technologies, individuals, and processes that affect the Flow of Cardholder Data (CDH).

Another step is to consider your PCI compliance level, a set of thresholds based on the number of card transactions you handle annually. That level determines the requirements that apply to your organization. They are:

  • Level 4. At most, 20,000 transactions are processed annually. The organization can complete a Self-Assessment Questionnaire (SAQ) instead of an external audit.
  • Level 3. Between 20,000 and 1 million transactions are processed annually. Level 3 allows the merchant to complete an SAQ instead of an external audit.
  • Level 2. Between 1 and 6 million transactions are processed annually. Level 2 merchants can complete an SAQ instead of an external audit. Still, they must also complete and submit a Report of Compliance (ROC) to the banks that process the organization’s payments (acquiring banks).
  • Level 1. More than 6 million transactions are processed annually. For these organizations, an on-site assessment must include an external audit by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA) and submit an ROC to acquiring banks.

PCI DSS compliance is optional to access payment service providers. Implementing PCI DSS controls provides security to your users and minimizes reputational risks in case of data breaches.

In addition, PCI DSS project planning can be vital to protecting your stakeholders from future operational risks. Backed by a dedicated PCI compliance manager, PCI compliance can substantially reduce the burden on cybersecurity and compliance teams.

What is PCI’s scope?

PCI’s scope encompasses all processes, people, and technologies interacting with cardholder data or impacting its security within the Cardholder Data Environment (CDE). This comprises components directly involved with storing, transmitting, or processing cardholder data. Identifying and defining the scope accurately is pivotal for compliance with the stringent PCI DSS standards and its numerous security controls.

Why reduce PCI scope?

Reducing PCI scope strategically streamlines compliance efforts and fortifies security measures, aligning with PCI DSS requirements. 

By minimizing areas handling sensitive cardholder data, businesses mitigate risks, simplify compliance obligations, and allocate focused resources toward securing critical in-scope systems, fostering a more robust and efficient payment environment.

When is a system considered in scope?

Systems within the PCI scope directly handle, store, process, or transmit cardholder data, constituting the Cardholder Data Environment (CDE). This includes internal networks, software, hardware, and personnel interacting with sensitive payment information. 

Accurately identifying these in-scope systems is imperative for implementing required security controls and ensuring compliance with PCI DSS standards set by the PCI Security Standards Council (PCI SSC).

When is a system considered out of scope?

Systems are considered out of scope when they lack direct interaction or influence on cardholder data during payment transactions. These include systems solely supporting non-payment functions or those isolated from cardholder data environments. Clearly defining these out-of-scope systems helps focus compliance efforts and optimize security measures where most needed, ensuring segregation from the CDE.

Key Elements of the PCI Scoping Exercise

In 2016, the PCI Council published its Guidance for PCI Scoping and Network Segmentation due to the struggles of companies implementing PCI DSS. For example, without correctly identifying Cardholder Data (CHD) flow, companies were expected to include all system components within the scope of PCI. This requirement was unnecessary, costly, or even impossible for some organizations.

This article can help you get started with the correct identification of the PCI scope. Organizations can adapt, modify, or add new elements within the PCI DSS assessment.

Identification of CHD Reception Methods

Determine all payment channels and methods by which cardholder data is collected, from receipt by the organization to destruction or transfer.

Identification and Tracking of CHD Flows

Document all CHD flows, including the people, processes, and technologies related to storing, processing, and transmitting this sensitive information. These elements are part of the Cardholder Data Environment (CDE).

Identification of Accessory Components to the CDE

Identify all business and technical processes, systems, and personnel that can interact with the CDE. These elements are known as “security-impacting systems” and are considered part of the PCI scope due to their connection and potential impact on the security of the CHD.

Implementation of Scope Reduction Controls

Minimize the contact of the CDE with other processes, components, or personnel not essential for CHD processing. Implement controls to segment the CHD and Sensitive Authentication Data (SAD) from individuals not part of the CDE.

Implementation of Applicable PCI Requirements

Implement the appropriate controls and requirements based on the components, processes, and people determined to be in scope.

Maintenance and Monitoring

Implement controls to assure the stability and effectiveness of tools and processes related to PCI DSS. It’s also necessary to evaluate the scope as changes are made to CDE systems, processes, and personnel.

What Does it Mean to ‘Close a PCI Scope’?

As described in the Guidance for PCI Scoping and Network Segmentation, not all elements of an IT infrastructure have to be within the PCI scope. Management of data flows can link more services than needed. “Closing” the PCI scope is simply the set of strategies, controls, and solutions you use to reduce PCI scope within an organization.

The primary benefit of closing the PCI scope is lower cost: you don’t need to protect systems not involved in cardholder data security. Additionally, reducing the number of elements involved in the CDE systems reduces the risk of data breaches. Finally, lowering the PCI DSS scope can simplify monitoring and compliance by reducing the number of processes, individuals, or components.

How Do I Lower My PCI Scope?

While every organization has a different CDE, here are some best practices to help lower your organization’s PCI scope.

Get Rid of Unnecessary CHD

It isn’t always necessary to store cardholder data. Instead, use cardholder discovery tools to find misplaced CHD or CHD you didn’t know you had, eliminate this information, and implement measures to prevent these events from occurring.

Network Segmentation

Network segmentation is one of the most effective practices to minimize PCI scope within your organization. This separates CHD storage, transmission, and processing systems from systems that do not have these roles.

This segmentation can be done physically by impeding the ability to connect between systems that are part of the CDE and external systems. It can be done logically by employing firewall and router rules that prevent this contact.


Tokenization is the process of converting sensitive pieces of data into tokens to avoid compromising user information. These tokens can replace credentials in payment processing and even login credentials (although these must be created initially under the PCI DSS password requirements).

Deployment of P2PE Solutions

Point-to-point Encryption (P2PE) solutions allow effective encryption and protection of cardholder information. Through this method, solution providers can only decrypt data, and none of the transit points can access the unencrypted data.

Third-Party Outsourcing

Finally, some organizations specialize in securely protecting and processing this information on behalf of their clients and can help minimize the PCI scope of your organization. These services include log monitoring and management, server hosting facilities, and data solutions as gateways.

Best Practices for Scoping Your CDE

  1. Data Flow Mapping: Initiate by mapping cardholder data flows to identify systems and processes handling payment card information. This meticulous mapping assists in delineating the Cardholder Data Environment (CDE) and ensures card information security.
  2. System Component Identification: Identify and categorize all components involved in storing, processing, or transmitting cardholder data to ensure compliance with PCI DSS requirements. This process aids in determining the in-scope systems and segregating system components for security measures.
  3. Network Segmentation and Access Control: Implement stringent access control measures and network segmentation to isolate in-scope systems. This reduces the scope of the CDE and safeguards sensitive data within subnets and VLANs.
  4. Regular Validation and Compliance Checks: Continuously validate and update the list of in-scope systems and conduct periodic compliance checks and penetration testing to ensure adherence to PCI DSS requirements. This provides the security of cardholder data and maintains a PCI-compliant environment.
  5. Integration of Security Best Practices: Integrate industry-standard security best practices like encryption, tokenization, and other measures to fortify the security controls and maintain PCI DSS compliance within the CDE.

By adhering to these best practices, businesses can streamline the scoping process, fortify the security of the CDE, and maintain compliance with stringent PCI DSS requirements while safeguarding sensitive authentication data and payment card information.

ZenGRC & PCI Compliance Go Hand-in-Hand

ZenGRC is a user-friendly and intuitive governance, risk management, and compliance platform. It provides insightful reporting and dashboards, automated workflows, and document storage so you have optimal visibility and are always audit-ready.

ZenGRC provides you with a solid basis for IT compliance. It allows you to track the progress of your program over time to ensure that you remain compliant and prevent non-compliance fines. Stakeholders, staff, and PCI compliance managers can all access a single source of truth that covers all of your current and future PCI compliance requirements.

Schedule a demo today to learn how ZenGRC can help your PCI compliance program.