We are a medium sized organization and use Payment Service Providers for all purchases, including credit card and non-credit card purchases. We get yearly audits and our internal payments platform is fully PCI SAQ-A EP compliant.
We are looking to reduce our PCI footprint and split our payments platform into two - a CDE for interacting with CC providers, and a out-of-scope system for non-CC providers. This will make it simpler to grow our payments platform without increasing PCI footprint.
We have been working with a consultant to split out the CDE from non-CDE components, and it has been a bit of a challenge as you might imagine. We have arrived at a flow the QSA is satisfied with. However, we have significant disagreement internally over part of the flow and I was hoping to get outsiders opinions. Below is a very high level flow to illustrate.
tl;dr
When a user purchases an item, it can be via CC or non-CC service provider. For CC service providers the flow navigates to the CDE. All other purchases navigate to the out-of-scope. Some services in the CDE also run in the out-of-scope environment.
In the diagram the client and cde are in scope.
Step 6 - 14 has been reviewed by our consultant and is OK. Our QSA is happy that we are trying to contain and reduce our PCI footprint.
question
Does step 1 - 5 put the CDE at risk because we reach into out-of-scope systems before talking to the CDE?
Step 1 - 5 reaches into the out of scope system to get data before presenting the items to purchase. We have some very vocal objections to this internally (we have not been able to get a clear answer from our consultant yet) and they see steps 1 - 5 as clearly affecting the security of the CDE in steps 6 - 14. I don't see how that could happen since the client and CDE are in scope.
Thoughts?
