Free · No account · Nothing stored

How much of PCI DSS applies to you?

Ten questions. At the end you'll see how many of the 250 controls are in scope for your environment, and which ones you can rule out. You can download the scoped worksheet and take it to anyone — us or otherwise.

Answer honestly, and if you're unsure, say yes. Erring toward "in scope" is the safe direction: a control you assess unnecessarily costs you an hour, one you wrongly rule out costs you a finding.

Which describes your business?

Service providers carry additional PCI DSS obligations.

Do customers enter card details on a web page you control?

Includes hosted checkout pages you brand or embed.

Do you use physical card terminals or readers?

Card-present terminals bring tamper-inspection requirements.

Do you store full card numbers anywhere?

Including databases, spreadsheets, logs, or backups. If you are not certain, answer yes — unknown storage is the most common finding.

Is there wireless networking in or near your payment environment?

Any Wi-Fi that touches the systems handling card data.

Do you build your own software that touches payments?

Custom code, not off-the-shelf plugins.

Do you run public-facing web applications?
Do you keep card data on paper or removable media?

Receipts, order forms, backup drives.

Do you control physical premises where payment systems live?

Offices, stockrooms, server closets.

Do you rely on third parties for payments or hosting?

Payment gateway, cloud host, managed IT.

Want us to follow up?

Optional. Leave this blank and we store nothing at all — you'll still get your result. Fill it in and we keep only what you type here plus your scope answers.