PCI DSS · 1 July 2026
Reducing your PCI DSS scope: how to simplify compliance
The single most effective way to make PCI DSS compliance simpler, faster and cheaper is to reduce your scope. This guide explains what scope means and the practical steps you can take to shrink it.
What “scope” means
Your PCI DSS scope is everything involved in handling cardholder data: the people, processes and technology that store, process or transmit the Primary Account Number (PAN) and related data, plus any system connected to them. Every item in scope must meet the applicable PCI DSS requirements.
The logic is straightforward: the more of your environment that touches card data, the more you have to secure, assess and evidence each year. Reduce the footprint, and you reduce the work — often moving from a long questionnaire to a much shorter one. It’s worth understanding how scope drives which SAQ type you complete.
Step 1: Don’t store cardholder data
The first question to ask is whether you need to store card data at all. In most cases the answer is no. Storing PANs — even temporarily in spreadsheets, emails, call recordings or paper notes — pulls large parts of your organisation into scope and pushes you towards the demanding SAQ D.
Practical actions:
- Never write down or type full card numbers into general systems
- Avoid recording calls where card details are read out, or pause recording during payment
- Securely destroy any legacy paper records containing card data
- Confirm your payment provider, not you, holds any stored card details for repeat payments
Step 2: Outsource card handling
If card data never reaches your systems, most of PCI DSS simply doesn’t apply to you. The most powerful scope-reduction technique is to hand payment processing to a PCI DSS compliant provider so that they, not you, handle the sensitive data.
Examples include:
- Using a payment service provider that takes the payment entirely on their own infrastructure
- Directing telephone payments through a compliant provider rather than keying them yourself
- Choosing suppliers who can evidence their own PCI DSS compliance
When card handling is fully outsourced for an e-commerce or telephone operation, you may qualify for the very short SAQ A.
Step 3: Use hosted or redirect payment pages online
For online payments, how your checkout is built makes a big difference:
- A hosted payment page or redirect, where the customer is sent to the provider’s page, keeps card data out of your website entirely and can qualify you for SAQ A.
- An iframe served wholly by the provider offers similar benefits.
- By contrast, if your own site handles or influences the payment fields, your web environment comes into scope and you’ll likely need the longer SAQ A-EP.
Choosing a redirect or fully hosted solution is usually the simplest route for smaller organisations.
Step 4: Segment your network
Where card data does have to pass through equipment you control — for instance, integrated tills or payment terminals — network segmentation keeps those systems separate from the rest of your network.
Without segmentation, your entire network is potentially in scope. With proper segmentation (using firewalls or physically separate networks), only the isolated card environment is in scope, and everything on the other side of the boundary is excluded. Segmentation must be robust and tested to be relied upon.
Step 5: Consider point-to-point encryption (P2PE)
A validated P2PE solution encrypts card data at the point of capture (the terminal) so that it can only be decrypted by the solution provider. Because your systems never see usable card data, your scope shrinks dramatically and you may qualify for the short P2PE SAQ. The solution must be on the PCI-listed P2PE list to count.
Bringing it together
Here’s how the choices map to outcomes:
| Approach | Effect on scope | Typical SAQ |
|---|---|---|
| Fully outsourced e-commerce / phone payments | Minimal | A |
| Own website affects payment page | Web environment in scope | A-EP |
| Standalone IP terminal, no storage | Small | B-IP |
| Validated P2PE solution | Very small | P2PE |
| Storing card data electronically | Large | D |
A note on personal data
Reducing PCI DSS scope also reduces the amount of sensitive personal data you hold, which supports your wider UK GDPR obligations overseen by the ICO. Holding less data is almost always safer on both fronts — the data you never collect can never be lost or stolen.
People and processes count too
Scope reduction is often thought of as a purely technical exercise, but people and processes matter just as much. If staff read out card numbers over the phone, jot them on notepads, or key them into systems that aren’t ring-fenced, those people and processes are in scope regardless of your technology. Reducing scope therefore also means:
- Training staff never to write down or store card details
- Removing informal workarounds, such as taking card numbers by email
- Documenting a single, controlled way to take each type of payment
- Reviewing call-recording practices so card details aren’t captured
Tightening the human side of card handling frequently removes more scope than any single technical change.
Validating and maintaining your reduced scope
Cutting scope isn’t a one-off event. Environments drift over time — a new supplier is added, a member of staff starts taking payments a different way, or a website is redeveloped. To keep the benefit of a reduced scope:
- Document your target scope so everyone knows what’s in and out
- Confirm segmentation works where you rely on it, and test it periodically
- Review payment processes whenever something changes
- Re-confirm your SAQ each year, checking it still matches how you take payments
Treating scope as something you actively maintain, rather than set and forget, is what keeps the annual assessment simple year after year.
How we can help
Working out where card data flows and where you can safely cut scope takes a clear-eyed look at your payment processes. We offer a transparent, fixed-fee engagement that maps your current setup, identifies practical scope-reduction opportunities, and supports you through the resulting self-assessment. To explore this, see our PCI DSS service or get in touch for a no-obligation chat.
Need help in practice? See our PCI DSS service.