What is PCI DSS Scope?

What Is PCI DSS Scope?

PCI DSS scope refers to the collection of systems, people, processes, and technologies that fall under the requirements of the Payment Card Industry Data Security Standard. In simple terms, if something touches, processes, stores, or transmits cardholder data -- or could affect the security of systems that do -- it is "in scope" for PCI DSS and must meet the standard's requirements.

Getting scope right is one of the most important and most misunderstood aspects of PCI DSS compliance. Define it too narrowly and you miss systems that should be secured, leaving gaps that could lead to a breach. Define it too broadly and you end up trying to apply PCI controls to systems that do not need them, wasting time and money.

How PCI DSS Scope Is Determined

The PCI Security Standards Council provides guidance on scoping, but the core principle is straightforward: anything that could impact the security of cardholder data is in scope.

Systems fall into three categories:

Category 1: Systems That Directly Handle Card Data

These are the systems that store, process, or transmit cardholder data. Examples include:

• Payment terminals and point-of-sale systems
• Virtual terminals where agents key in card numbers
• Payment gateway servers
• Databases that store card information
• Call recording systems that capture card details spoken during phone calls
• Agent workstations where card data is entered or displayed

Category 2: Systems That Can Affect Security

These systems do not handle card data directly but could compromise systems that do. They are sometimes called "connected-to" or "security-impacting" systems. Examples include:

• Firewalls and routers that control access to the cardholder data environment
• Authentication servers (like Active Directory) that manage access credentials
• Logging and monitoring systems that track activity in the payment environment
• Network switches that carry traffic between in-scope systems

Category 3: Out of Scope

Systems that have no connectivity to the cardholder data environment and cannot affect its security are out of scope. However, you must be able to demonstrate this isolation clearly. A system is only out of scope if it genuinely has no path -- direct or indirect -- to systems that handle card data.

The Challenge of Scope in Contact Centres

Contact centres face particularly complex scoping challenges. When a customer provides card details over the phone, the scope can expand dramatically:

• Agent workstations If agents hear or type card details, their computers are in scope -- including the operating system, applications, and any screen recording tools
• Telephony infrastructure The phone system, PBX, SIP trunks, and any voice-over-IP infrastructure carrying the call are in scope
• Call recording If card details are spoken during a call, the recording system and all associated storage are in scope
• The network The LAN connecting agent desktops to payment systems, and any network segments that are not properly segmented from the cardholder data environment
• Physical premises The building, floor, or area where agents handle card data requires physical access controls

In a typical contact centre, this means almost the entire IT infrastructure and physical environment can end up in scope -- all because card data passes through the voice channel.

Reducing Scope (Descoping)

Descoping is the process of removing systems from PCI DSS scope by ensuring they never come into contact with cardholder data. The less that is in scope, the less there is to secure, audit, and maintain -- which translates directly into lower compliance costs and reduced risk.

Common descoping strategies include:

Network Segmentation

Isolating the cardholder data environment (CDE) from the rest of the network using firewalls, VLANs, and access controls. Systems on the other side of the segmentation boundary are out of scope, provided the segmentation is properly implemented and tested.

Tokenisation

Replacing actual card numbers with tokens -- random values that have no exploitable meaning outside the tokenisation system. Once card data is tokenised, systems that only handle tokens are out of scope because they never touch real card data.

DTMF Masking for Telephone Payments

DTMF masking removes card data from the voice channel entirely. Because agents never hear card numbers and recordings never capture them, the entire contact centre telephony environment -- agent desktops, phone systems, recording infrastructure, and the network connecting them -- can be descoped from PCI DSS.

This is one of the most effective descoping strategies available to any business that takes telephone payments, because it addresses the broadest range of in-scope systems in a single step.

Point-to-Point Encryption (P2PE)

For in-store payments, validated P2PE solutions encrypt card data at the point of interaction (the card reader) and keep it encrypted until it reaches the payment processor. Systems between those two points only handle encrypted data and are out of scope.

Why Scope Matters

The size of your PCI DSS scope directly determines the cost and complexity of compliance. More in-scope systems means more controls to implement, more patches to manage, more logs to monitor, more vulnerability scans to run, and more documentation to maintain. It also means a larger surface area for potential breaches.

Organisations that invest in reducing scope upfront typically find that compliance becomes simpler, cheaper, and more sustainable. Instead of trying to secure everything, they focus their resources on a smaller, well-defined environment where controls can be tightly managed.