Every company, which accepts credit card payments and handles cardholder data, falls into the so-called PCI scope. It means that, in accordance to payment card industry (PCI) requirements, it has to go through regular PCI audit. In order to be PCI compliant, the company has to perform tokenization of card numbers. However, technically, if the company does not use any software which handles unencrypted card data, it remains out of PCI scope.
If a company wants to optimize its infrastructure in terms of PCI compliance and either get out of PCI scope completely, or reduce its “exposure” and audit costs, it needs to answer some fundamental questions and perform some essential steps. The company needs to define, whether it needs to handle different payment types: card present, card-not-present, and recurring payments are involved. It also has to analyze all applications it uses, front-end systems it is connected to, and processing solutions its merchants use. When this information is obtained, the company needs to come up with an optimal new solution and discuss it with a PCI auditor. After that it has to address several important issues, such as card storage and card flow, prioritization of payment ecosystem components, integrations with processors and providers of tokenization services and point-to-point encryption solutions, migration of cardholder data, and others.
These critical issues provide the basis for a strategy of getting out of PCI scope (or at least exposure level reduction). The strategy is described in greater detail in the respective article on Paylosophy.