Say I have an application that takes credit cards, but this is actually a payment gateway on the internet that I don't control.
The web site used HTTPS and only returns if the card was authorized or not and stores the last 4 digits of the PAN.
With this setup, how much, if any, of the infrastructure is really in-scope?