This episode teaches scoping in modern architectures where ownership boundaries and infrastructure layers can be abstracted, because the exam expects you to apply PCI principles even when there are no “traditional servers” to point at. You’ll learn how to reason about serverless functions, managed runtimes, container platforms, orchestration, and CI/CD pipelines, with emphasis on where cardholder data could be processed, stored, or transmitted and where administrative access can expand scope. We define practical evidence patterns for these environments, such as infrastructure-as-code repositories, pipeline approvals, container image provenance, runtime configuration controls, secrets management, and network policies that enforce isolation. Real-world examples include payment APIs implemented as functions, containers running payment services behind service meshes, and logging pipelines that capture sensitive fields if not tuned carefully, showing how a QSA validates real behavior rather than relying on architecture claims. Troubleshooting guidance covers ephemeral workloads that complicate sampling, shared clusters that blur tenancy boundaries, over-permissive IAM roles, and “temporary” debug settings that accidentally store PAN. By the end, you’ll have a repeatable method to scope and test these environments that matches exam logic and real assessment defensibility. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.