docs: add PCI scope change evidence gates

[catcherintheroad-hub]

Created from review issue: #1392

Summary

• Add PCI DSS v4.0 Req 12.5.3 significant-change scope impact evidence gates.
• Require change records, CHD/SAD flow updates, CDE and connected-to system inventory refresh, segmentation revalidation, TPSP responsibility updates, evidence refresh, and owner approvals.
• Add a Significant Change Scope Impact report table and edge-case fixtures for serverless payment flows, segmentation changes, TPSP changes, and complete scope impact records.

Validation

• git diff --check
• Markdown fence/non-ASCII sanity check
• Reference URL checks for PCI SSC document library and PCI DSS v4.0 summary of changes

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 289dc055d2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep 12.5.3 scoped to service-provider organizational changes

This new gate applies Req 12.5.3 to every significant technical/environment change, but PCI DSS v4.0 12.5.3 is an additional requirement for service providers covering significant organizational-structure changes and communication of the documented scope/control impact review to executive management. For merchants or changes like serverless payment flows, firewall rules, or cloud architecture, this will make the skill cite the wrong requirement and produce false high-severity 12.5.3 findings instead of using 12.5.2 and the applicable testing requirements.

Useful? React with 👍 / 👎.