What is Descoping PCI DSS?

What Is Descoping PCI DSS?

Descoping PCI DSS means reducing the number of systems, networks, and processes in your organisation that fall within the scope of PCI DSS compliance. Instead of trying to secure every system that might touch cardholder data, descoping removes cardholder data from those systems entirely, so they no longer need to meet PCI DSS requirements.

It is the difference between fitting every room in your house with a high-security lock and simply not keeping valuables in most of the rooms. If a room never contains anything sensitive, there is no need to secure it to the same standard. Descoping applies the same logic to your IT and telephony infrastructure.

Why Descoping Matters

PCI DSS compliance is expensive, time-consuming, and complex. Every system that stores, processes, or transmits cardholder data must meet the full set of PCI DSS requirements. For a contact centre, this might include:

• Agent workstations and the software running on them
• The internal network connecting those workstations
• Call recording systems that capture card data in audio form
• CRM and billing systems where card data is entered or displayed
• The telephony infrastructure carrying voice data
• Physical security controls in the areas where agents work

Securing all of these systems requires firewalls, encryption, access controls, monitoring, regular vulnerability scanning, penetration testing, and either a Self-Assessment Questionnaire or a full on-site audit by a Qualified Security Assessor. The cost adds up quickly, particularly for larger organisations with hundreds of agents.

Descoping reduces or eliminates these costs by ensuring that cardholder data never enters the systems in the first place.

How Descoping Works

Descoping is achieved by using technologies and processes that prevent cardholder data from entering your environment. The most common approaches include:

DTMF Masking

In telephone payment environments, DTMF masking allows customers to enter their card details using their phone keypad while the agent stays on the line. The keypad tones are masked, so the agent cannot identify the digits. The card data is routed directly to a PCI-certified payment processor without passing through the contact centre infrastructure. The agent hears the conversation but never hears, sees, or handles the card data.

Hosted Payment Pages and Payment Links

For online and hybrid payments, hosted payment pages capture card data on a page operated by the payment provider, not by the merchant. Payment links extend this to phone and email channels: the merchant sends a link, the customer enters their details on the provider's secure page, and the merchant's systems never touch the card data.

Tokenisation

After the initial secure capture of card data, tokenisation replaces the card number with a token that has no exploitable value. The merchant stores the token, not the card number. This means the merchant's database, CRM, and billing systems are out of scope because they never contain real cardholder data.

Point-to-Point Encryption (P2PE)

For card-present payments, PCI-validated P2PE solutions encrypt card data at the point of capture (the terminal) and keep it encrypted until it reaches the secure decryption environment. Because the data is unreadable while in transit and while stored, the systems it passes through are considered out of scope.

The Impact of Descoping

The practical impact of descoping can be dramatic. Consider a contact centre with 200 agents that currently handles card data through agent-entered virtual terminals:

• Before descoping 200 workstations, the telephony network, the call recording platform, the CRM system, and the internal network are all in PCI DSS scope. The organisation faces annual compliance costs of tens of thousands of pounds, plus the ongoing operational overhead of maintaining security controls across all these systems.
• After descoping Card data is captured through DTMF masking and routed directly to a PCI-certified processor. The workstations, telephony network, call recording platform, and CRM system are all out of scope. The compliance obligation shifts to the PCI-certified service provider, and the organisation may qualify for the simplest Self-Assessment Questionnaire (SAQ A).

Descoping and Telephone Payments

Contact centres are one of the environments where descoping has the biggest impact. Traditional phone payment processes put card data into the voice stream, the agent's workflow, and the recording system, creating a wide compliance scope. Descoping through DTMF masking or payment links removes card data from all of these touchpoints in a single step.

This does not just reduce cost. It improves security. The reason descoping works is that data which is not present cannot be stolen. No amount of firewall configuration, encryption, or monitoring can match the security of simply not having the data there in the first place.

Practical Considerations

• Descoping is not the same as not needing to comply. Even fully descoped organisations must complete the appropriate SAQ and maintain an Attestation of Compliance
• Network segmentation can partially descope environments by isolating systems that handle card data from those that do not. However, full descoping by removing card data entirely is more effective
• Third-party provider due diligence is essential. When you descope by outsourcing card data handling to a provider, their compliance status directly affects your security posture
• Validate your scope with a QSA. Before assuming that your environment is descoped, consult with a Qualified Security Assessor to confirm that no card data is leaking into systems you believe are out of scope
• PCI DSS v4.0 has raised the bar for organisations that handle card data directly, making descoping even more attractive from a cost-benefit perspective

Descoping is the most effective strategy for managing PCI DSS compliance. Rather than building an ever-more-complex fortress around cardholder data, smart businesses are removing the data from their environment entirely and letting PCI-certified specialists handle it. The result is better security, lower costs, and simpler operations.