PCI DSS

PCI DSS Scope Reduction

Strategies for reducing PCI DSS scope through network segmentation, tokenization, point-to-point encryption, and cardholder data environment management.
Browse PCI DSS topics
PCI DSS Compliance LevelsPCI DSS RequirementsPCI DSS Scope ReductionPCI DSS Self-Assessment Questionnaire (SAQ)PCI DSS v4.0 Changes

Why scope reduction matters

The scope of a PCI DSS assessment is determined by the cardholder data environment (CDE) -- every system, network segment, person, and process that stores, processes, or transmits cardholder data, plus any component connected to or that could impact the security of those systems. The larger the CDE, the more controls you must implement, the more evidence you must collect, and the more expensive and time-consuming your PCI DSS compliance program becomes.

Scope reduction is the practice of shrinking the CDE through architectural and operational changes. A smaller scope means fewer systems to assess, fewer vulnerabilities to manage, and a faster path to compliance. For organizations in the fintech industry handling high transaction volumes, effective scope reduction can be the difference between a manageable compliance program and an overwhelming one.

Understanding the cardholder data environment

Before reducing scope, you must define it. The CDE includes three categories of systems:

CDE systems

These are systems that directly store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). Examples include payment application servers, databases containing card numbers, and point-of-sale terminals.

Connected-to systems

Systems that have network connectivity to CDE systems, even if they do not handle cardholder data themselves, are considered "connected to" the CDE and are in scope. A domain controller that authenticates users accessing a payment server is a connected-to system. An application server on the same network segment as a payment processor is also in scope.

Security-impacting systems

Systems that could affect the security of the CDE are in scope even without direct connectivity. This includes SIEM servers that collect logs from CDE systems, anti-malware management consoles, and vulnerability scanners used against CDE components.

Scope reduction strategies

Network segmentation

Network segmentation is the most fundamental scope reduction technique. By isolating the CDE on a dedicated network segment with strict access controls, you prevent other systems from being classified as "connected to" the CDE.

Effective segmentation requires:

  • Dedicated VLANs or network segments for all CDE components
  • Firewall rules that restrict traffic between the CDE and the rest of the corporate network to only what is business-justified
  • Separate management interfaces for CDE networking equipment where feasible
  • Regular validation that segmentation controls are functioning correctly, including penetration testing that specifically targets segmentation boundaries

PCI DSS v4.0 requires that segmentation controls be tested at least every six months for service providers and annually for merchants. This testing must verify that the segmentation is effective at isolating the CDE from out-of-scope networks.

Common segmentation mistakes:

  • Flat networks where CDE and non-CDE systems share the same subnet
  • Overly permissive firewall rules that negate the benefit of segmentation
  • Forgetting to segment management and monitoring networks
  • Allowing VPN or remote access solutions to bridge CDE and non-CDE segments

Tokenization

Tokenization replaces cardholder data with a surrogate value (a token) that has no exploitable meaning. When implemented correctly, systems that only handle tokens are not in scope for PCI DSS, because tokens are not considered cardholder data.

How tokenization reduces scope:

  • Your application stores and processes tokens instead of primary account numbers (PANs)
  • The token vault, where tokens map back to real card numbers, remains in scope but is isolated to a dedicated, hardened environment
  • All other systems that interact with tokens (your CRM, analytics platform, order management system) are removed from scope
  • You can use tokens for recurring transactions, refunds, and customer lookups without touching real card data

Tokenization considerations:

  • The tokenization system itself is in scope and must be PCI DSS compliant
  • Tokens must not be reversible through mathematical means without the token vault
  • If you use a third-party tokenization service provider, that provider must be PCI DSS validated
  • Format-preserving tokens that resemble card numbers may create confusion about whether real card data is present -- clear documentation is essential

Point-to-point encryption (P2PE)

PCI-validated Point-to-Point Encryption (P2PE) solutions encrypt cardholder data at the point of interaction (the payment terminal) and keep it encrypted until it reaches the decryption environment at the payment processor. When using a PCI-listed P2PE solution, the merchant's environment between the terminal and the processor is removed from scope.

Scope reduction benefits of P2PE:

  • The encrypted data passing through your network is not considered cardholder data for scoping purposes
  • Network infrastructure between the P2PE terminal and the internet is not in scope
  • You may qualify for SAQ P2PE, which contains approximately 33 questions -- significantly fewer than other SAQ types
  • Physical security of terminals and P2PE device management become the primary compliance focus

P2PE requirements:

  • The solution must be listed on the PCI SSC's list of validated P2PE solutions
  • Terminal management must follow the P2PE Instruction Manual (PIM) provided by the solution vendor
  • You cannot access the decryption keys or decrypted data at any point
  • Any deviation from the PIM may invalidate the scope reduction benefits

Outsourcing payment processing

Fully outsourcing payment processing to a PCI DSS-validated service provider is another effective scope reduction strategy. By redirecting customers to a hosted payment page or using an iframe provided by the processor, your systems never touch cardholder data.

Outsourcing approaches:

  • URL redirect - The customer is redirected to the payment processor's website to enter card details, then returned to your site after payment. Your systems never handle cardholder data.
  • Embedded iframe - An iframe from the payment processor is embedded in your checkout page. The card data is submitted directly to the processor, bypassing your servers.
  • JavaScript tokenization - A JavaScript library from the processor captures card data in the browser and sends it directly to the processor, returning a token to your server.

Each approach has different scope implications. A URL redirect may qualify you for SAQ A, while an embedded iframe or JavaScript approach may require SAQ A-EP due to the risk that compromised scripts on your page could intercept card data. See the SAQ guide for detailed eligibility criteria.

Data minimization

The simplest scope reduction technique is to stop storing cardholder data you do not need. Many organizations retain full card numbers for convenience rather than necessity.

Data minimization practices:

  • Delete stored cardholder data that has no ongoing business or legal requirement
  • Truncate PANs to the first six and last four digits where full numbers are not needed
  • Never store sensitive authentication data (CVV, PIN, full track data) after authorization
  • Implement data retention policies with automated purging
  • Audit databases, log files, and backups for unintended cardholder data storage

Combining strategies for maximum reduction

The most effective scope reduction programs layer multiple strategies. A typical approach might combine:

  1. Tokenization for application-layer scope reduction, ensuring your databases and application servers only handle tokens
  2. Network segmentation to isolate the remaining CDE systems (token vault, any systems that interact with the payment processor)
  3. P2PE for in-store payment terminals, removing the retail network from scope
  4. Outsourced payment pages for e-commerce, redirecting card data capture to a validated processor

This layered approach can reduce a CDE from hundreds of systems to a handful, dramatically simplifying the compliance assessment.

Validating scope reduction

Scope reduction is only effective if it is properly validated. PCI DSS requires:

  • Documented data flows showing where cardholder data enters, moves through, and exits the environment
  • Network diagrams that clearly delineate CDE boundaries and segmentation controls
  • Penetration testing that validates segmentation effectiveness by attempting to access the CDE from out-of-scope networks
  • Annual scope confirmation as part of the assessment process, verifying that no new systems or data flows have expanded the CDE

Scope reduction is not a one-time project. As your architecture evolves, new integrations, cloud migrations, and business changes can inadvertently expand the CDE. Building scope reviews into your change management process ensures that reductions remain effective over time and your PCI DSS requirements stay manageable.

Related topics

requirementscompliance-levelsself-assessment-questionnaire

Related terms

What is GRC?What is PCI DSS?

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a walkthrough