Reducing PCI Scope
The cost of maintaining PCI-DSS compliance can have a significant impact on the operating costs of any merchant. Whether a merchant is trying to attain and remain at the highest point— Level 1—or play by the rules at a lower transaction level, they must pay close attention, and dedicate significant resources to everything they do that includes customer personally identifiable information.
Merchants are always looking for ways to reduce their PCI scope and resource drain of PCI-DSS compliance efforts because every dollar not spent on compliance is available to be deployed to revenue-generating programs.
What is PCI-DSS
PCI-DSS is the Payment Card Industry Data Security Standard and is a set of processes, requirements, and measurements that ensure merchants properly secure their customers’ payment details. PCI-DSS was first introduced in 2004, as online payments started to ramp up when both merchants and payment system operators recognized that data breaches, hacking, and other criminality would dampen a rapidly growing e-commerce industry: users who were afraid their cardholder data could be stolen and used without their permission were leery of paying for goods and services online.
While Visa had its own set of requirements since 2001, the large amount of fraud committed during the early years of the century (in 2000, as much as 3.6% of purchases were fraudulent) meant that the industry needed to come together and agree upon a standard set of rules.
Since 2004, the PCI-DSS standard has been updated a dozen times, with the latest version (PCI-DSS version 4.0) becoming the latest official version in March of 2025. All merchants seeking to accept payments via credit card are required to adhere to the PCI-DSS standard, which has four levels, based largely on volume. As merchants’ volume grows, they are required to move from the lower level 4 progressively up to level one, with the complexity, resource requirements, and cost increasing steadily at each phase. This cost is the primary reason merchants seek ways to reduce their PCI scope—the smaller the proportion of their payment system that comes under PCI-DSS scope, the lower the drain on business economics.
Which payment systems fall under PCI-DSS scope?
Any part of a system that touches or provides access to consumer personally identifiable information falls under PCI-DSS's scope. The implications are significant, as this information may be made available to, for instance, customer service representatives, triggering a need to ensure a range of physical restrictions (locked doors with electronic tracking of entries and exits to the workspace, for instance) that can be onerous.
By contrast, systems that do not provide access to cardholder data may be held to a lesser standard. If representatives do not, for instance, have access to meaningful cardholder data, their workspace may not need the same level of scrutiny; similarly, databases that do not hold any PII are unlikely to require the same level of security as those that do.
Ways to Reduce PCI-DSS Scope
There are a range of ways for merchants to reduce PCI-DSS scope, including
- Don’t store primary account numbers (PAN): These are the actual numbers stored on credit cards, which can be used to make purchases. One way to avoid storing these is using a full-service payment services provider (PSP), who will keep control of the numbers on your behalf.
- Segment your networks: Store PAN only in a hard-to-reach corner of your system, and keep it away from other systems and people who might otherwise need to be considered in scope.
- Use a programmable payment vault: contract with a provider to collect and securely manage PII, providing you with a token to use for future transactions without limitation to a single PSP.
A programmable payment vault eliminates the risk of a systems breach, as the information you store there is tokenized and cannot be returned to its original plain text form. It also allows the merchant to limit the information shared with employees and contractors, providing enough for quality customer service without exposing data unnecessarily.
For instance, you can collect the PII in your vault and receive a token to use. You can then
- Programmatically instruct the vault to submit a transaction to your choice of PSP. You can switch between PSPs as you prefer, taking advantage of the best fee schedules, volume discounts, and specialty services, without the concern that you might lose control of your customer data (as would be the risk with committing to a single PSP.)
- Allow your customer service team access to only the information you need them to have to service support requests—even obscure them entirely by, for instance, having them type the last four digits of a credit card number into the system as dictated by the customer and have the system decide whether the entry is correct—without revealing the numbers you have stored.
- Direct the vault to deliver select information to any approved end point for a variety of reasons. Anything you store that should remain protected within your system, to avoid it coming into PCI-DSS scope, can be managed and redirected by your payments decisioning engine.
Each merchant will still be required to complete an SAQ for the PCI Security Standards Council to validate PCI compliance. Service providers like Basis Theory provide the cardholder data environment (CDE) and developer tools to collect, store, and transmit this sensitive information.
The benefits of decoupling cardholder data information from any single PSP leads to time-savings and cost-savings. Make sure you are choosing the right PCI DSS SAQ.
