PCI DSS Scope Reduction

Organisations are increasingly seeking to provide their customers with access to efficient, and widely accessible services for receiving card payments, through a variety of methods such as Contactless, Web and Mobile platforms.

Without adequate planning for how and where this card data will be stored, processed and transmitted, an organisations entire network environment can quickly be in the scope for a PCI DSS assessment, along with all associated security control requirements.

With the current version of the standard emphasising the importance of being in the position accurately determine the scope of an organisations PCI DSS assessment, achieving compliance, quickly and cost effectively can be a challenge.

Through PCI DSS Scope Reduction and simplification, removing large parts of an organisation people, processes and technology using methods such as network segmentation of the card data environment, JAW Consulting UK can help you significantly reduce the time, cost and complexity associated with achieving, and maintaining PCI DSS.

Fast Track Your PCI DSS Compliance

Request an initial PCI DSS Compliance Program consultation.



We will start by performing a detailed review of the organisations existing cardholder data flows, associated business processes, system components and network, performing both on-site and remote interviews with staff members, and a thorough review of existing documentation in place.

Our consultants will then identify key areas where payment card data can either be removed completely from business processes, and suggest appropriate technology-based approaches to reduce the number of systems in scope of assessment. Recommendations might include:

  • Amended business processes to remove cardholder data.
  • Network segmentation of the CDE (Card Data Environment) to de-scope networks that do not process, transmit or store cardholder data.
  • Use of technical cryptographic controls e.g. hashing, encryption etc.
  • Substitution of card data using tokenization
  • Masking of displayed credit card data
  • Utilisation of P2PE technologies (Peer-to-Peer Encryption)
  • Outsourcing of payment card processing

Finally we will provide you with a report summarising our findings, a detailed set of actionable recommendations, and an estimation of the benefits of the scope reduction activities.

Key Benefits

  • Achieve PCI DSS compliance quicker, by reducing scope of assessment.
  • Remove cost and complexity of implementing, and maintaining any unnecessary PCI DSS controls
  • Identify and remediation broken business process
  • Significantly reduce the cost of the PCI DSS assessment
  • Lower the risk of a data breach, with consolidation of sensitive cardholder data (CHD) into fewer locations, with stronger controls.

Our Methodology

Stage 1: Pre- Assessment Phase (Off Site)

  • Meeting with key staff members
  • Provide a walkthrough of the PCI DSS Scope Reduction activities and agree roles for the engagement.

Stage 2: PCI Business Process Review Phase

  • Review the existing cardholder data flow documentation
  • Establish the current business processes in place in regards to payment card data.
  • Identify appropriate scope reduction or de-scoping approach.

Stage 3: Reporting Phase

  • Preparation of a PCI DSS Scope Reduction and De-Scoping Proposal (e.g. Network segmentation, P2PE, Tokenization)
  • Presentation of findings and strategic recommendations


  • Total:                  5 Days
  • Onsite:                2 Day
  • Remote:             3 Days


  • PCI DSS Scope Reduction and De-Scoping Proposal – Detailed set of recommendations and options to de-scope people, processes and technology from PCI DSS compliance.

Speak with our team today, to learn how PCI DSS Scope Reduction can reduce both the cost, and time of achieving PCI DSS Compliance.

Optional Related services