PCI DSS Scope Calculator

Understanding your PCI DSS scope is the foundation of compliance. The scope defines which systems, networks, and people are involved in storing, processing, or transmitting cardholder data—and therefore must meet PCI DSS requirements.

What Does PCI DSS Scope Mean?

PCI DSS scope includes all system components that are connected to the cardholder data environment (CDE). This typically includes servers that store or process card data, networks that transmit it, and any system that can access the CDE. A clear scope definition helps you focus security efforts where they matter most.

Why Scope Reduction Matters

Reducing scope lowers compliance cost and complexity. By minimizing the number of systems that handle cardholder data—for example, through tokenization or outsourcing payment processing—merchants can often qualify for simpler SAQs and reduce the number of controls they must implement.

Examples of In-Scope Systems

Web servers that host checkout pages or payment forms
Databases that store cardholder data (even temporarily)
Point-of-sale (POS) terminals and integrated systems
Networks that connect to systems processing card data
Third-party service providers with access to cardholder data

Benefits of Using a Structured Scope Tool

A structured scope assessment guides you through transaction flows and environment types, helping you identify what is in scope and what is not. This reduces guesswork and ensures you have a defensible scope definition for your acquirer or assessor.

Use our guided scope assessment to map your environment and determine your PCI DSS scope.