PCI DSS · CDE SCOPE

Ask three teams what's in your CDE, you'll get three answers.

Your diagram says 47 services. Your inventory says 112. A runtime trace finds 237 callers — and only 11 actually load cardholder data. This worksheet reconciles all three into one scope you can defend to a QSA.

Defend the eleven, not the two hundred and thirty-seven.

Get the CDE Runtime Mapping Worksheet

A free, fillable worksheet to reconcile your documented CDE with what's actually running. Instant download.

What we validate:

Execution of recent npm, Shai-Hulud and TeamPCP-related code paths.

Credential exposure (tokens, env, CI secrets).

Persistence or follow-on activity.

Runtime reachability and exploitability.

WHAT'S INSIDE

Reconcile the CDE you documented with the CDE you're running. Here's what's inside:

A prep checklist of the three sources to gather first

Capture your three CDE numbers — with built-in gap math

A service-by-service classification table

A 90-day reconciliation plan with owners and dates

Gather three artifacts, run three working sessions, and walk out with one defensible scope.

Get the CDE Runtime Mapping Worksheet

Reconcile your CDE scope with what's actually running — in 90 days.