Scope decisions that survive technical challenge
Begin with data flow, then add control flow. Data flow follows PAN and SAD through capture, authorization, processing, display, storage, export, backup, and deletion. Control flow follows the identities, management tools, software pipelines, network paths, cloud consoles, hypervisors, logging platforms, and providers that can alter those systems. Many underestimated environments map the first flow but omit the second.
Segmentation should be evaluated from representative source locations, including office networks, guest wireless, vendor access, management subnets, cloud networks, virtualization hosts, backup systems, administrator workstations, and other connected environments. A single permitted path may be legitimate, but it must be minimal, authenticated, monitored, documented, and included in the scope analysis rather than treated as invisible.
Shared services require explicit reasoning. Directory services, DNS, NTP, vulnerability scanners, endpoint management, backup, SIEM, certificate services, and patch platforms can support both CDE and non-CDE systems. Determine whether compromise of the shared service could affect payment security, how administrative access is isolated, which logs are available, and whether a dedicated instance or constrained architecture would reduce risk.
Scope governance should be integrated with procurement and change management. New payment methods, websites, plugins, processors, terminals, RMM tools, cloud accounts, wireless designs, acquisitions, office moves, and support providers should trigger a documented PCI DSS impact review. The annual confirmation then validates an actively maintained record instead of reconstructing a year of undocumented change.