Cardholder data environment architecture

Reduce PCI DSS Risk by Getting Scope Right

PCI DSS scoping guide for cardholder data environment, payment flows, segmentation, vendors, POS networks, ecommerce systems, cloud platforms, and scope reduction.

In scopeConnected toSecurity impacting

Written for: IT managers, MSPs, network engineers, ecommerce leaders, retail operators, and compliance owners responsible for PCI DSS scope.

01

Why Scope Drives Everything

PCI DSS scope determines which systems, people, processes, networks, vendors, and evidence are relevant. A weak scope decision can make the business overpay for unnecessary work or under-protect systems that actually affect cardholder data.

The cardholder data environment includes systems that store, process, or transmit cardholder data and systems that can impact the security of that environment.

02

Segmentation and Scope Reduction

Segmentation can reduce PCI DSS scope when it is designed, enforced, documented, and tested. Examples include separating POS systems from guest Wi-Fi, limiting administrator paths, controlling firewall rules, isolating payment applications, and preventing broad flat-network access.

Segmentation is not only a diagram. It needs firewall rules, VLAN design, access control, vulnerability testing, change records, and proof that unauthorized paths are blocked.

03

What to Collect

Collect payment-flow diagrams, data-flow diagrams, asset inventory, firewall rules, VLANs, cloud network diagrams, POS vendor access paths, remote access settings, wireless segmentation evidence, scans, penetration-test scope, and card-data storage results.

The existing PCI DSS Scope and Readiness Check can help the business identify early scope concerns before deeper remediation planning.

Scope Is the Most Expensive PCI DSS Decision

Scope determines how much of the business becomes part of the PCI DSS review. If scope is too broad, the business may spend money reviewing systems that do not matter. If scope is too narrow, it may miss systems that can actually expose cardholder data.

Good scoping connects business process, data flow, network design, vendor access, administrative control, logs, backups, and cloud architecture.

Segmentation Needs Proof, Not a Drawing

Network enforcement

Firewall policies, VLAN routing, ACLs, wireless separation, VPN rules, and cloud security groups must block unauthorized paths.

Administrative paths

Admin workstations, jump hosts, RMM tools, vendor accounts, and privileged service accounts must be included in the model.

Testing evidence

Segmentation testing, vulnerability scans, rule reviews, and change records should support the claim that systems are separated.

Exception handling

Any temporary access, support path, or emergency change should have an owner, approval, expiration, and review record.

Scoping Map for a Real Environment

Payment entry

Terminals, ecommerce checkout, phone orders, mobile readers, invoices, recurring billing, and virtual terminals.

Data locations

Databases, exports, logs, reports, backups, emails, ticket notes, screenshots, call recordings, and processor portals.

Connected systems

Firewalls, switches, wireless networks, DNS, web servers, cloud accounts, identity systems, monitoring, and backup platforms.

Vendors

POS provider, gateway, ecommerce developer, MSP, hosting provider, call center, processor, and security vendors.

Scope Reduction Is a Security Project

Scope reduction can be valuable, but it has to be engineered. Moving to tokenization, hosted checkout, P2PE where applicable, tighter network segmentation, and controlled vendor access can reduce exposure only when the implementation is documented and tested.

The best outcome is a smaller, clearer environment with stronger proof.

Scope decisions that survive technical challenge

Begin with data flow, then add control flow. Data flow follows PAN and SAD through capture, authorization, processing, display, storage, export, backup, and deletion. Control flow follows the identities, management tools, software pipelines, network paths, cloud consoles, hypervisors, logging platforms, and providers that can alter those systems. Many underestimated environments map the first flow but omit the second.

Segmentation should be evaluated from representative source locations, including office networks, guest wireless, vendor access, management subnets, cloud networks, virtualization hosts, backup systems, administrator workstations, and other connected environments. A single permitted path may be legitimate, but it must be minimal, authenticated, monitored, documented, and included in the scope analysis rather than treated as invisible.

Shared services require explicit reasoning. Directory services, DNS, NTP, vulnerability scanners, endpoint management, backup, SIEM, certificate services, and patch platforms can support both CDE and non-CDE systems. Determine whether compromise of the shared service could affect payment security, how administrative access is isolated, which logs are available, and whether a dedicated instance or constrained architecture would reduce risk.

Scope governance should be integrated with procurement and change management. New payment methods, websites, plugins, processors, terminals, RMM tools, cloud accounts, wireless designs, acquisitions, office moves, and support providers should trigger a documented PCI DSS impact review. The annual confirmation then validates an actively maintained record instead of reconstructing a year of undocumented change.

Architecture evidence for a defensible boundary

Data-flow evidence

Create separate flows for in-person, ecommerce, virtual-terminal, telephone, recurring, refund, settlement, and support activity. Show where PAN or SAD can exist, which provider handles it, and how error, logging, export, and backup paths differ from the normal transaction.

Connectivity evidence

Build a source-to-destination matrix with ports, protocols, business purpose, owner, firewall or security-group reference, authentication, encryption, logging, and approval. Review reverse paths and stateful behavior; a diagram arrow alone does not prove traffic is restricted.

Administrative evidence

Map jump hosts, VPN, RMM, cloud consoles, hypervisors, endpoint management, backup, SIEM, identity providers, secrets, and vendor support. Record source-device controls, unique identities, MFA, privilege, session evidence, availability window, and revocation.

Segmentation evidence

Test from representative non-CDE, connected, wireless, cloud, management, and vendor source zones. Preserve methodology, targets, attempts, unexpected routes, remediation, and retest. Repeat the analysis after significant network or management-plane changes.

Scope Evidence Inventory

Use this inventory to support decisions about what is inside or outside the cardholder data environment.

Scope itemWhat to verifyEvidence
Payment entryTerminal, ecommerce, phone, recurring billing, invoicesPayment-flow diagram
StoragePAN in files, logs, databases, backups, exportsDiscovery notes and retention review
NetworkCDE VLANs, firewall paths, wireless separationDiagram and rule export
VendorsRemote access, support accounts, processor responsibilitiesVendor list and AOC/contract notes

Scope Details That Usually Decide the Project Size

Scoping is also a governance issue. When the business adds a new payment method, changes processors, moves ecommerce hosting, adds remote support, updates Wi-Fi, or migrates workloads to cloud, scope should be reviewed again instead of waiting for the next annual validation.

Segmentation should be treated as a living control. Firewall rules, routes, cloud security groups, VPN access, jump hosts, wireless separation, and vendor tools can drift over time, so the business needs recurring evidence that isolation still works.

A scope decision should have an expiration condition

Document when the boundary must be reconsidered: new payment channels, provider changes, firewall redesign, cloud migration, acquired locations, remote-support changes, identity consolidation, wireless updates, application releases, incidents, or failed segmentation tests. Assign the trigger review to procurement and change-management workflows rather than relying on annual memory.

The final scope package should identify unresolved assumptions and the evidence needed to close them. A provider answer, route test, data search, rule export, or administrator-path review may change the boundary. Keep those items visible as scope risks instead of silently classifying the affected systems as out of scope.

The official scope principle behind the architecture

Scope includes systems that store, process, or transmit payment account data and systems that can impact CDE security. Segmentation claims require documentation and effective testing. Review PCI DSS scope context.

Use scope to select the next technical discipline

Ecommerce, POS, virtual-terminal, and cloud teams should follow the payment-technology dossier. Teams relying on segmentation should plan the testing evidence that validates isolation.

PCI DSS for Cloud, Ecommerce, POS, and Payment Applications: Trace browser, terminal, cloud, and remote-support dependencies through the boundary.

PCI DSS SAQ, AOC, ROC, QSA, and ASV Validation Guide: Match the confirmed architecture to the correct validation route.

PCI DSS Compliance Roadmap for Orange County Businesses: Turn scope reduction into a phased implementation and maintenance plan.

Return to the roadmap when scope reduction requires a multi-phase implementation project. Contact OC Security Audit.

Validate boundaries across networks, identity, cloud, and vendors

Ali Hassani reconciles payment-flow diagrams with firewall rules, routes, management platforms, administrator access, provider services, logs, and testing evidence.

Ali Hassani is a CISO, cybersecurity and IT consultant, and infrastructure leader with 25+ years of experience. His credentials include CISSP, CCISO, CCNP, CCNA, MCSE, MCSA Security, MCITP, MCP, and MCTS.