Our expertise
Our services
Who we serve
Insights
About us
Digital Threat Digest Insights Careers Let's talk

Why retail businesses are prone to an increasing PCI scope - and what you can do about it

JBHOGR&C
James Boughey, Head of Governance, Risk & Compliance
Double circle designsagain21

Retail businesses are good at implementing things like new technology and payment channels. What often goes unnoticed is the compliance and operational overhead that accumulates around them, building quietly in the background, year after year, and lingering long after the technology itself has been replaced.

We frequently see retail clients burdened by PCI DSS compliance scopes that are 40%, even up to 50%, larger than required. So, the question worth asking is whether your compliance engagements identify opportunities to reduce scope and simplify compliance.

How PCI scope quietly grows in the retail sector


The structural reasons are specific to retail in a way that don't apply to most other industries, making the sector particularly vulnerable to scope creep.

Every payment channel a retailer adds (click-and-collect, a new mobile app, self-checkout) introduces systems into their Cardholder Data Environment. That's expected and unavoidable. What's less expected is that those systems almost never leave scope. The channel gets built, the scope expands to include it, and from that point on, it becomes part of the annual renewal – and often nobody questions whether it still needs to be there. 
Legacy POS infrastructure compounds this. Many mid-market retailers are running point-of-sale systems that are a decade old, sitting on flat networks where poor segmentation means that systems with no operational relationship to payment data end up in scope simply because of how the network is laid out. The PCI SSC is explicit on this point: assume everything is in scope until verified otherwise. In a flat network, that assumption is expensive.

Third-party vendors extend the problem further. Every integration that touches or could affect the CDE (Payment gateways, IT support providers, cloud platforms, loyalty programme vendors) pulls additional compliance obligations into the merchant's programme. Many retailers haven't formally reviewed these relationships since the integrations were first stood up – a missed opportunity to cut compliance costs.

Then there's the seasonal dimension unique to retail. Peak trading brings temporary terminals, additional payment channels, third-party staffing with system access. It gets stood up quickly. It rarely gets formally decommissioned from a CDE perspective once the season ends.


The result is a compliance programme that accumulates year on year. 

The structural problem nobody talks about

There’s part of this conversation that the industry tends to overlook simply because of how compliance engagements are typically set up.
Annual PCI programmes are usually scoped once, at the start of a supplier relationship, and renewed on that basis each year. The assessment cycle runs, the controls get tested, the report gets issued, and the same scope becomes the baseline for the following year. It's a reasonable model for maintaining compliance, but not one that naturally surfaces opportunities to reduce it.

The result, in practice, is a lot of "see you next year, same as before"—programmes that get automatically renewed rather than challenged. Often, a reassessment isn’t built into the process, and most clients don't know to ask for it.

As a retailer's security posture matures—implementing better controls, tooling and automation—its compliance footprint should reflect that. A business that has invested seriously in modern payment infrastructure should be carrying less compliance overhead than it was five years ago, not more. Good consultancy, delivered over time, should make a programme leaner and more focused, not just maintain what was originally built.
The question for any retailer in a long-standing compliance relationship is a simple one: is your engagement structured to cut unnecessary costs, or just to renew what's already there?


What scope reduction actually looks like in practice


The clearest illustration in PCI is the difference between SAQ A and SAQ A-EP: The two self-assessment questionnaire types most relevant to ecommerce merchants.

An ecommerce retailer on SAQ A-EP is subject to approximately 150 controls. The same retailer, if their payment page is fully hosted by a PCI-compliant third party with no scripts executing in the consumer's browser that they control, may qualify for SAQ A, which carries just 27 controls. That’s a significant change in compliance burden, internal resource requirement and ongoing costs.

Moving between those two isn't always straightforward, but it is often possible, and it is frequently the kind of work that isn’t considered when the annual engagement is built around maintaining the status quo rather than challenging it.

Telephone payments are another common example. Many retailers continue to support legacy telephone payment processes for a channel that represents only a small fraction of transaction volume. The result can be a PCI scope aligned to SAQ C (approximately 130 controls) or SAQ C-VT (around 50 controls). In contrast, a well-designed DTMF masking solution can reduce the environment to SAQ A, with as few as 27 controls. Yet many organisations continue to carry the larger scope simply because the payment channel was designed years ago and has never been reassessed.


PCI DSS v4.0 has created a prompt – make sure you use it

The transition to PCI DSS v4.0.1 (now fully mandatory) introduced a formal annual scope validation requirement (Requirement 12.5.2). Organisations must now document and confirm their scope every year, or whenever there is a significant change to their environment.
That requirement is either a bureaucratic box-tick or a genuine opportunity depending entirely on whether it's treated as a real challenge to what's in scope or simply a renewal of last year's answers. Retailers who use the v4.0.1 transition as a reason to ask the hard questions will come out of it materially better off, both operationally and financially. Those who don't will keep maintaining a programme that was scoped for an outdated version of their business.
Where to start

If your organisation hasn't formally challenged its PCI scope in the last 12 months, a few questions are worth raising with your assessor:

  • Has our scope been formally reviewed since it was originally defined, or has it been carried forward on renewal?
  • Are there payment channels (like telephone payments) that are still in scope but no longer central to how we take payments?
  • As our security controls have matured, have we explored whether that creates descoping opportunities?
  • Are we on the right SAQ type for how our payment environment actually works today?


These are questions that aren’t typically considered in the process unless someone specifically raises them. That's why who you choose as your assessor matters more than it might appear. The technical work of a PCI assessment is broadly consistent across qualified providers. What varies is whether your assessor arrives each year with the intent to maintain your programme or to actively improve it.

At PGI, challenging scope is built into how we approach every engagement, not something clients have to ask for. We think a compliance programme should get leaner and more focused as a business matures, and that a good assessor should be willing to tell you when you can remove unnecessary costs. 

If you'd like an independent view of where your current PCI scope sits, or you're simply not sure when it was last formally challenged, get in touch with us.