It seems that this is the most subjective area to be settled on before an assessment can get started.

Are there any good resources for helping deteriming how to limit the scope of an assessment?

What should be considered a minimum level of evidence and artifacts to be examined before agreeing to the limited scope?

Thanks for your help.

A good start is the first para on page 5 of the PCI audit procedures.

Forums like this are also great ways to share info!
Simple rule of thumb, for general cases is:
"If it processes, stores or transmits card info, its in scope"
"If it directly supports the components in the above, its in scope"
"If it connects directly to the components in the above 2 lines for support, production or administration, its in scope"

you should be left with a simple perimeter based on subnets and servers, production payments support, and payments operations monitoring. with 2 or 3 (ideally) 'bridges' to the rest of the world - internnet, rest of comapny, and rest of production. Its not common that sites are so 'clean and simple' though.

When in doubt, see the first para on page 5 of the PCI audit procedures.

Network address segmentation, firewalls, and tangible physical boundaries are useful ways to separate out non PCI components.

lyalc

Thanks for the help.