By Viviana Wesley – PCI QSA, ISO 27001 Auditor, CISM and Jason Maiden – CISSP, PCI-QSA, PMP, ISO Lead Auditor

Understanding the PCI DSS v4.0.1 requirements is essential for compliance but knowing what’s actually in scope is just as important. PCI DSS doesn’t need to apply to your entire environment — only to the parts that touch or affect the security of cardholder data. That’s where scope comes in.

So, what is “scope” in PCI DSS?

In simple terms, your scope includes all systems that store, process, transmit, or can impact the security of cardholder data (CHD) particularly Primary Account Numbers (PANs) and other sensitive authentication data. This group of systems is often referred to as the Cardholder Data Environment (CDE).

Some common examples include

  • Point-of-sale (POS) devices
  • Payment applications
  • Databases and servers that store or transmit CHD
  • Web portals or mobile apps that capture payment information

But scope doesn’t stop there.

 

Unexpected Systems That Fall Into Scope

It’s easy to think only about the obvious systems, but even indirect connections to the CDE can bring a system into scope. One commonly overlooked example? Printers.

If a printer has unrestricted connectivity to components in the CDE, it’s considered in scope. Even printers used for reports or logs — if they have access to CDE-connected systems or receive exported data — can fall under PCI requirements.

Other often-missed examples of “scope creep” include:

  • Confirmation Management tools</span style=”color: #038a90;”> with access to systems for support or maintenance
  • Monitoring and logging servers</span style=”color: #038a90;”> that collect data from in-scope components
  • Jump boxes or remote desktop solutions</span style=”color: #038a90;”> used to administer in-scope components
  • Network security controls</span style=”color: #038a90;”> (i.e. firewalls) that act as network policy enforcement points or protect CDE traffic
  • Development environments</span style=”color: #038a90;”> that clone or test production systems

If a system can access, influence, or affect the CDE, even indirectly, it’s within PCI scope.

 

People, Vendors, and Services Count Too

Scoping isn’t just about hardware and software. It also includes any person or third party who interacts with your in-scope environment.

  • Employees who take phone payments or access payment systems
  • IT administrators managing in-scope components
  • Backup services that store CHD or disaster recovery systems
  • Payment processors, managed service providers, and hosting partners

Whether you manage it internally or rely on a vendor, anything that touches CHD or influences its security needs to be included.

 

Guidance for Determining PCI DSS Scope

To properly define and manage your PCI compliance scope build a repeatable process that includes the following:

  1. Identify Applicability  As a PCI DSS Merchant, you must first find all the ways that PAN data is introduced into your environment. These are referred to you as your credit card acceptance channels. If you are a third-party service provider and you don’t directly handle CHD, then this step shifts into identifying all the services being provided that make you a third-party service provider for PCI DSS compliance. The people, processes and technologies that are used in these acceptance channels and/or services become your scope.
  2. Map the Data Flow   Next, create diagrams that show how cardholder data enters, moves through, and exits your environment — from the point of entry to authorization and storage (if any). These diagrams should include enough detail to help you identify the systems and networks that are part of this communication path
  3. Inventory Everything   Using the information obtained in the first 2 steps, create an in-scope inventory. Start with a comprehensive list of software, systems, devices, applications, and services that handle or connect to cardholder data. Include production and backup systems. Ensure that components that manage the security of these components are also included.
  4. Track Human Access   Document which individuals, teams, or vendors interact with in-scope systems — including support staff, contractors, and anyone with administrative access.
  5. Reassess Regularly   Your scope can shift over time. Review it at least annually, and whenever there’s a significant change (e.g., adding a new payment processor or launching a new application). Any new initiative related to payments may impact your scope and compliance obligations, therefore should be assessed early in the process.

 

Why Getting Scope Right Matters

Getting your PCI DSS scope right is not just about “checking the boxes” — it’s about focusing your security efforts where they matter most. When your scope is clear, you:

  • Can apply the right controls to the right systems
  • Reduce unnecessary effort and cost by avoiding over-scoping
  • Maintain alignment with the intent of PCI DSS: protecting cardholder data

 

Need Help Defining Your Scope?

PCI DSS compliance can get complex, especially for organizations with hybrid environments, multiple vendors, or legacy systems. If you’re unsure where your scope starts or ends, you’re not alone.

At HALOCK Security Labs, our experts help organizations like yours define and manage PCI DSS scope with confidence — aligning your security strategy with compliance expectations and business goals. To find more helpful PCI insights please visit PCI Compliance.

Validate Your PCI Compliance

 

READ MORE PCI DSS References and Articles