PCI scope refers to the boundary around all systems, network segments, personnel, and processes that are involved in — or could affect the security of — cardholder data. If a server handles card numbers, it is in scope. If a workstation sits on the same network segment as that server, it is likely in scope too. Even employees who never directly see card data may fall within scope if they have access to systems that do. Determining PCI scope is the critical first step in any compliance effort, because everything inside that boundary must meet the full set of PCI DSS requirements.
The challenge for most organisations is that PCI scope tends to expand in ways that are not immediately obvious. A CRM system that logs call recordings where customers read out their card numbers is in scope. A database that caches transaction details containing the primary account number is in scope. A developer’s laptop that can SSH into a production payment server is, potentially, in scope. The larger the scope, the more expensive and complex compliance becomes — more systems to harden, more people to train, more audit evidence to gather.
This is why scope reduction is one of the most important goals in any payment architecture. Techniques like tokenization, network segmentation, and the use of hosted payment fields are all designed to shrink the number of systems that ever touch raw cardholder data. The smaller the scope, the lower the compliance cost, the faster the audit, and the smaller the attack surface.
Shuttle Global’s architecture is purpose-built to minimise PCI scope for its customers. With Embedded Payments, card data is captured in Shuttle’s hosted payment fields and tokenized before it ever reaches the platform’s backend — meaning the platform’s own servers never see or store a card number. With Voice Checkout, Shuttle’s DTMF masking technology intercepts keypad tones on the telephony layer so that the contact centre agent, the call recording system, and the platform’s infrastructure are all kept out of scope. Payment Links work similarly: the entire checkout is hosted on Shuttle’s PCI-certified domain. In every product, the design principle is the same — Shuttle absorbs the PCI scope so the platform does not have to.