Module 5: How to Descope Your PCI Environment

For the formal definition see Descoping PCI. This module is the learn-by-doing version.

PCI DSS compliance gets exponentially harder as more of your business sits "in scope" — every server, every workstation, every staff member touching card data adds controls, audits, and ongoing maintenance. Descoping flips that maths. Done well, it can take a contact centre from the long-form SAQ D (329 questions) to the short-form SAQ A (22 questions) — the same business, a fraction of the compliance burden.

Descoping is the practice of removing cardholder data from a business's systems, networks, and staff so that fewer of them fall under PCI DSS — the Payment Card Industry Data Security Standard. The usual route is to send card data straight through a PCI-compliant provider that captures and stores it in its own certified environment, keeping the digits out of the contact centre, the call recording, and the database. The result: fewer controls to implement, lower audit costs, and a shorter Self-Assessment Questionnaire. Descoping is also called PCI scope reduction.

A descoping strategy targets the three dimensions where PCI DSS scope spreads: data flow (which systems carry the digits), connectivity (which systems connect to the systems carrying the digits), and people (which staff can access either). The most effective descoping move in a contact centre is DTMF masking or hosted IVR — both keep card data off the agent's audio path, off the call recording, and out of the policy-administration system. Done properly, PCI scope reduction can take a contact centre from the 329-control SAQ D down to the 22-control SAQ A.

What Descoping Means and Why It Matters

If there's one concept that can dramatically simplify your approach to PCI DSS compliance, it's descoping. In plain terms, descoping means reducing the number of systems, processes, and people in your business that come into contact with cardholder data. The fewer things in scope, the fewer PCI DSS requirements you need to worry about — and the simpler, cheaper, and faster your compliance becomes.

Here's why this matters so much: PCI DSS scope is determined by data flow, not intention. Every system that stores, processes, or transmits cardholder data is in scope. Every system connected to those systems is in scope. Every person who can access those systems is in scope. It spreads like ripples in a pond. A single unprotected pathway for card data can pull your entire network, all your workstations, and every member of staff into the compliance boundary.

Descoping reverses that process. By removing card data from your environment — or at least confining it to as few systems as possible — you shrink the compliance boundary dramatically. The result? Fewer controls to implement, fewer questions on your SAQ, lower audit costs, and less ongoing maintenance. For many businesses, a well-executed descoping strategy is the difference between PCI compliance being a manageable task and an overwhelming burden.

Understanding PCI DSS Scope

Before you can descope, you need to understand what's currently in scope. PCI DSS scope encompasses three categories:

• Systems that directly handle cardholder data — payment terminals, servers processing transactions, databases storing card numbers, applications displaying card details
• Systems connected to those that handle cardholder data — if your payment server sits on the same network segment as your file server, that file server is in scope too
• Systems that could affect the security of cardholder data — this includes authentication servers, logging systems, firewalls, and DNS servers that the cardholder data environment relies on

The scope also extends to people and processes. If your contact centre agents hear card numbers spoken over the phone, those agents are in scope. Their workstations are in scope. The phone system is in scope. The call recording system is in scope. The training programme for those agents is in scope. It adds up quickly.

This is why a thorough data flow analysis is the essential first step. Map out everywhere card data enters, flows through, and exits your business. Every touchpoint is a potential scope item — and every touchpoint you eliminate is a step towards simpler compliance.

Practical Descoping Strategies

There are several proven approaches to reducing PCI scope. Most businesses will benefit from combining multiple strategies depending on their payment channels.

Strategy 1: Outsource Online Card Processing

For e-commerce payments, the most effective descoping technique is using a hosted payment page or hosted payment fields. Instead of your website collecting card details and passing them to a processor, the customer enters their card number directly on the payment provider's page (or in an iframe hosted by the provider). Your server never touches the card data.

This approach can move you from SAQ A-EP (191 questions) or SAQ D (326 questions) down to SAQ A (22 questions). Most modern payment providers — including Stripe, Adyen, Worldpay, and others — offer hosted options that make this straightforward to implement.

Strategy 2: Implement DTMF Masking for Telephone Payments

Telephone payments are one of the trickiest areas for PCI compliance. When a customer reads their card number to an agent, that data flows through the phone system, is heard by the agent, appears on the agent's screen (if they type it in), and may be captured in call recordings. The scope implications are enormous.

DTMF masking eliminates this entirely. With a solution like Paytia, the customer enters their card details using their phone keypad during the call. The DTMF tones are intercepted and replaced with flat tones, so the agent hears a uniform sound and never knows the card number. The actual card data is routed directly to the payment processor, completely bypassing your phone system, your agents, your network, and your call recordings.

The impact on scope is dramatic. Without DTMF masking, a contact centre taking telephone payments might need SAQ C-VT (79 questions) or SAQ D (326 questions). With DTMF masking, the same business can qualify for SAQ A (22 questions), because card data never enters their environment. We explain DTMF masking technology in detail in Guide 7.

Strategy 3: Use Point-to-Point Encryption (P2PE) for In-Person Payments

For face-to-face payments, Point-to-Point Encryption encrypts card data from the moment the card is tapped, inserted, or swiped. The encrypted data passes through your systems but can't be decrypted by anything in your environment — only the payment processor can decrypt it. This means your network and systems never have access to usable card data.

Using a validated P2PE solution qualifies you for SAQ P2PE (33 questions) instead of a more demanding SAQ. The key word is "validated" — the P2PE solution must be on the PCI SSC's list of validated solutions. Not every encrypted terminal qualifies.

Strategy 4: Network Segmentation

If you can't completely remove card data from your systems, the next best approach is network segmentation — isolating the systems that handle card data from the rest of your network. When done correctly, segmentation limits the scope to just the segmented portion rather than your entire network.

For example, if your payment processing server sits on its own network segment, separated by properly configured firewalls from your general office network, then only the payment segment and the security controls around it are in scope. Your office workstations, email server, and file shares would be out of scope.

Segmentation requires careful implementation and regular testing (PCI DSS v4.0.1 requires segmentation controls to be tested at least every six months). But for businesses that must process card data in-house, it's an essential technique for keeping scope manageable.

Strategy 5: Tokenisation

Tokenisation replaces actual card numbers with randomly generated tokens that have no mathematical relationship to the original data. You can store and use the token for things like recurring billing, refunds, and transaction lookups — but the token is useless to an attacker because it can't be reversed to reveal the card number.

If you currently store card numbers for recurring payments or customer convenience, switching to tokenisation removes that stored data from your scope. The payment processor holds the mapping between tokens and real card numbers, and they handle the PCI compliance burden for that storage.

The Financial Impact of Descoping

Descoping isn't just about ticking fewer boxes — it delivers tangible financial savings:

• SAQ reduction: Moving from SAQ D (326 questions) to SAQ A (22 questions) reduces assessment time from weeks to hours
• Audit costs: Businesses report 70-80% reductions in annual compliance costs after effective descoping
• Security infrastructure: Fewer in-scope systems means fewer firewalls, less monitoring, fewer access controls, and reduced licensing costs for security tools
• Staff training: When agents don't handle card data, PCI-specific training requirements are significantly reduced
• Breach liability: A smaller cardholder data environment means less exposure if a breach does occur — and fewer systems for attackers to target in the first place
• IT resource allocation: Teams previously dedicated to maintaining PCI controls can focus on other priorities

To put concrete numbers on it: a mid-sized contact centre completing SAQ D might spend £15,000-£30,000 annually on compliance-related activities (assessment, scanning, remediation, and staff time). After descoping to SAQ A using DTMF masking for telephone payments and hosted payment pages for online transactions, that same business might spend £2,000-£5,000. The technology investment typically pays for itself within the first year.

Common Descoping Pitfalls

Descoping is powerful, but there are mistakes to avoid:

• Incomplete data flow mapping: If you miss a pathway where card data flows — an old spreadsheet, a backup system, a testing environment using real card numbers — your scope reduction is undermined. Be thorough in your initial analysis.
• Assuming your provider handles everything: Using a PCI-compliant provider reduces your scope but doesn't eliminate your obligations entirely. You still need to complete the appropriate SAQ and maintain your own security controls (like keeping your systems patched and managing access to your payment accounts).
• Inadequate segmentation testing: If you're relying on network segmentation, it must be tested regularly. Misconfigured firewall rules or unauthorised connections can inadvertently bring systems back into scope without anyone noticing.
• Forgetting about paper: Card numbers written on paper forms, Post-it notes, or order slips are in scope too. Descoping should address physical card data as well as digital.
• Call recordings: Many businesses don't realise their call recordings contain card data until an auditor points it out. If customers speak card numbers during recorded calls, those recordings are in scope — and storing CVV data in recordings is a direct violation of Requirement 3. DTMF masking solves this by ensuring card numbers are never spoken aloud.

Building a Descoping Plan

Here's a practical approach to descoping your environment:

• Step 1: Map your data flows. Document every place card data enters, moves through, and is stored in your business. Include all channels — online, telephone, in-person, and mail order.
• Step 2: Identify outsourcing opportunities. For each data flow, ask: can a PCI-compliant third party handle this instead of our own systems?
• Step 3: Evaluate technology solutions. Hosted payment pages for online. DTMF masking for telephone. P2PE for in-person. Tokenisation for stored data.
• Step 4: Implement and validate. Deploy the chosen solutions and verify that card data no longer flows through the systems you've descoped.
• Step 5: Reassess your SAQ type. With a reduced scope, you may qualify for a simpler SAQ. Confirm with your acquiring bank.
• Step 6: Maintain and monitor. Descoping isn't a one-time exercise. Review your data flows periodically, especially after changes to payment processes, systems, or providers.

For a step-by-step approach to the full compliance journey, see Guide 10: Your PCI Compliance Roadmap.

Key Takeaways

• Descoping is the most effective strategy for simplifying PCI DSS compliance — it reduces the number of systems, processes, and people in your compliance boundary
• PCI scope spreads through connectivity — every system connected to those handling card data is pulled into scope, which is why isolation and outsourcing are so powerful
• Five key techniques drive scope reduction: outsourced online processing, DTMF masking for telephone payments, P2PE for in-person payments, network segmentation, and tokenisation
• The financial impact is substantial — businesses commonly achieve 70-80% reductions in compliance costs after effective descoping
• Start with a thorough data flow analysis and look for every opportunity to remove card data from your systems
• Descoping reduces risk as well as cost — fewer systems handling card data means a smaller attack surface and less exposure if a breach occurs