PCI DSS Scope Assessment

An accurate definition of the scope of a Cardholder Data Environment (CDE) can be one of the most challenging, and critical steps for organisations seeking PCI DSS compliance. An environment with an overly wide scope can lead to unnecessary costs, while an under-scoped environment will inevitably lead to non-compliance, and a potential data breach due to critical assets left un-identified, and unprotected.

Establishing the correct scope for your Cardholder Data Environment establishes a critical foundation on which to base all PCI Compliance efforts, with confidence.

JAW Consulting UK can work with your organisation to provide a PCI DSS Scope Assessment to determine the right scope for PCI DSS compliance, outlining the controls, which are applicable to your environment, and transaction volume.

Fast track your compliance with the PCI DSS

Request an initial PCI DSS Compliance Program consultation.



Our consultants work with you to identify all system components included in or connected to the Cardholder Data Environment, and the flows of payment card data through these, including cardholder and sensitive authentication data

To achieve this understanding efficiently, we will provide you with our PCI DSS Dataflow Questionnaire and Analysis document, to be completed for each payment system, automated business process and/or manual process involving payment card data, preparing our consultants for the on-site assessment.

We will then interview key staff members, and perform a detailed analysis of the systems used for processing, transmitting or storing cardholder data (CHD) and sensitive authentication data (SAD)

A comprehensive report will then highlight our investigation, including card data flow diagrams for each payment card application and a detailed description of the people, processes and technology in scope for the organisations PCI DSS compliance

Key Benefits

  • Reduce the time to achieve PCI DSS certification.
  • Demonstrate a greater Return-on-Investment (ROI) through efficient use of resources
  • Establish the critical foundation for PCI Remediation Planning.
  • Reduced cost and complexity by implementing only required controls.
  • Assurance that all card holder data is identified and protected.

Our Methodology

Step 1: Pre Assessment Phase (Off- Site)

  • Meeting with key staff members
  • Walkthrough of engagement activities, and agree roles.
  • Provide PCI DSS Data Flow Questionnaire and Analysis Document

Step 2: Assessment (On- Site)

  • Validate PCI DSS Data Flow Questionnaire
  • On-site interview with key staff interacting with PCI environment and information gathering
  • Detailed analysis of cardholder data system components

Step 3: Reporting 

  • Produce and delivery of Data Flow Analysis diagrams, for all environments with cardholder data and sensitive authentication flows.
  • Produce and Document a detailed description of the all the people, processes and technology in scope for PCI DSS compliance
  • Deliver on-site executive de-briefing


  • Total:     3-5 days
  • Onsite:   1-3 days
  • Remote: 1-2 days


  • Card Holder Data Flow Diagrams – a detailed logical flow diagram, showing the flow of card holder and sensitive authentication through the organisation
  • PCI DSS Scope Assessment Report – high-level summary, definition of the card holder data environment, and a description of all people, processes and technology in scope.

Speak with our  team today, to find out what part of your organisation needs to be PCI DSS compliant, and what does not.

Optional Related Services