Supposing I had an office full of call centre operators, who sometimes update customers payment details by way of receiving these over the phone and then keying them into a secure web application, which stores the data securely in the "real" CDE. The data is never stored on the call centre operator's PC, nor is it transmitted in an unencrypted fashion.
Per the title, does this mean that those workstations fall into the scope of the CDE per the PCI-DSS definition?
EDIT: Clarification, the web application is an internal application. It is not exposed over public or open networks.