This document discusses determining scope for PCI DSS compliance. It begins by outlining the basics of scope, including systems that store, process, or transmit cardholder data and systems connected to or affecting the security of those systems. It then discusses examples of systems that could fall into these categories, including shared network infrastructure. The document reviews new guidance from PCI that provides definitions and examples to help determine what systems are in scope. It emphasizes the need to properly assess risk and validate any systems considered out of scope. The document concludes by discussing penetration testing requirements and reiterating the goal of the new guidance to close security loopholes.