PCI DSS 4.0.1 — Payment Card Data Scope

constraint.pci-dss-scope-payment-card-data ↗

Organizations that store, process, or transmit payment card cardholder data (CHD) — or whose systems could impact the security of CHD — enter the PCI DSS scope and must meet 12 requirements (PCI DSS 4.0.1). CDPs and CDWs that receive raw PANs, CVVs, or cardholder data are in-scope. Scope-reduction mechanisms (tokenization, P2PE, hosted payment pages, network segmentation) can remove the CDP/CDW from PCI scope by ensuring CHD never reaches them.