PCI scope

Many companies, whose payment ecosystems fall within the scope of payment card industry security standards (PCI scope), try to optimize their operations in order to reduce their “exposure level” to the minimum. Basically, if a company does not use any software, which “touches” cardholder data in unencrypted format, it does not fall within PCI scope. In order to reduce the costs of PCI audit or get out of PCI scope completely, a company needs to address certain issues concerning its activity. It needs to analyze payment types it needs to handle, front-end systems it is connected to, applications it uses, card storage, card tokenization, and card flow handling techniques it needs to utilize, processing solutions used by its customers (merchants), and various existing integrations. Based on this information it can work out the respective strategy. An example of such a strategy is described in the respective post on Paylosophy.