Defining the Scope for PCI Compliance