April 8, 2016
Written by
James Davis
Written by James Davis
Senior Technical Writer at United Thinkers

Author of the Paylosophy blog, a veteran writer, and a stock analyst with extensive knowledge and experience in the financial services industry that allows me to cover the latest payment industry news, developments, and insights. Read more

Reviewed by
Kathrine Pensatori
Product Specialist at United Thinkers

Product specialist with more than 10 years of experience in the Payment Processing Industry. I help payment facilitators and PSPs solve their various payment processing issues. Read more

PCI scope

Table of Contents
Table of Contents

Every company, which accepts credit card payments and handles cardholder data, falls into the so-called PCI scope. It means that, in accordance to payment card industry (PCI) requirements, it has to go through regular PCI audit. In order to be PCI compliant, the company has to perform tokenization of card numbers. However, technically, if the company does not use any software which handles unencrypted card data, it remains out of PCI scope.

PCI Compliance

If a company wants to optimize its infrastructure in terms of PCI compliance and either get out of PCI scope completely, or reduce its “exposure” and audit costs, it needs to answer some fundamental questions and perform some essential steps. The company needs to define, whether it needs to handle different payment types: card present, card-not-present, and recurring payments are involved. It also has to analyze all applications it uses, front-end systems it is connected to, and processing solutions its merchants use. When this information is obtained, the company needs to come up with an optimal new solution and discuss it with a PCI auditor. After that it has to address several important issues, such as card storage and card flow, prioritization of payment ecosystem components, integrations with processors and providers of tokenization services and point-to-point encryption solutions, migration of cardholder data, and others.

These critical issues provide the basis for a strategy of getting out of PCI scope (or at least exposure level reduction). The strategy is described in greater detail in the respective article on Paylosophy.

Useful articles to help you: