Skip to contentSkip to content
Knowledge Hub

Reduce Your PCI Scope by Up to 80%

Understanding your Cardholder Data Environment is the foundation of PCI compliance. Scope it right, and the rest follows.

What is the Cardholder Data Environment?

The CDE is defined by three concentric zones. Everything inside the innermost boundary requires the full weight of PCI DSS controls.

Out of Scope

Systems with no connectivity to the CDE and no access to cardholder data. HR systems, marketing tools, general-purpose workstations.

Connected-to / Security-Impacting Systems

Systems with network connectivity to the CDE or that could affect its security. DNS servers, authentication systems, log aggregators, jump boxes.

CDE — Cardholder Data Environment

Systems that store, process, or transmit cardholder data, plus any systems on the same network segment. Payment servers, databases with PAN, card terminals, payment applications.

What Data is In Scope?

PCI DSS distinguishes between cardholder data (which can be stored with protection) and sensitive authentication data (which must never be stored after authorisation).

Data Element
Status
Note
PAN (Primary Account Number)
Always in scope — the core data element that defines cardholder data
Cardholder Name
In scope when stored, processed, or transmitted with PAN
Expiration Date
In scope when stored, processed, or transmitted with PAN
Service Code
In scope when stored, processed, or transmitted with PAN
Full Track Data (magnetic stripe / chip)
Sensitive authentication data — NEVER store post-authorisation
CVV / CVC / CAV2 / CID
Sensitive authentication data — NEVER store post-authorisation
PIN / PIN Block
Sensitive authentication data — NEVER store post-authorisation
Always in scope Conditional Never store post-auth

Scope Reduction Strategies

Five proven approaches to reduce your PCI DSS scope, assessment effort, and compliance cost.

Isolate the CDE from the rest of your corporate network using firewalls, VLANs, or other network security controls. This reduces the number of systems in scope by preventing direct connectivity between the CDE and other networks.

Scope impact
High — can reduce scope by 60-80%
Complexity
Medium — requires network architecture changes and ongoing rule management
Cost
Medium — firewall/NSC investment plus ongoing management

Segmentation Impact

See how network segmentation reduces the number of systems and controls in your PCI assessment.

Without segmentationWith segmentation
Controls in scope~330
Assessment effort reduction0%

Train your team on CDE boundaries and scope reduction

GRCTrack includes training modules on network segmentation, tokenisation, and data flow documentation — helping your team understand how to identify and reduce PCI scope.

Start training

Automate scope documentation and CDE mapping

GRCTrack's Architecture Intelligence AI maps your CDE, documents data flows, and identifies scope reduction opportunities.

Start Free Trial Book a Scoping Review

Frequently Asked Questions

What is PCI DSS scoping?
PCI DSS scoping is the process of identifying all systems, people, and processes that store, process, or transmit cardholder data (CHD) or could affect the security of the cardholder data environment (CDE). Accurate scoping is the foundation of compliance.
How do I reduce PCI DSS scope?
Scope reduction strategies include network segmentation, tokenisation, point-to-point encryption (P2PE), outsourcing payment processing, and using validated payment applications. Each strategy removes systems from your CDE, reducing the number of applicable controls.
What is a CDE in PCI DSS?
The Cardholder Data Environment (CDE) includes all systems that store, process, or transmit cardholder data, plus all systems connected to or that could impact the security of those systems. Minimising your CDE reduces compliance burden.
What is network segmentation in PCI?
Network segmentation isolates the CDE from the rest of your network using firewalls, VLANs, or other technologies. While not a PCI DSS requirement itself, segmentation significantly reduces assessment scope and the number of systems requiring compliance controls.