Payment infrastructures are security-critical networked systems whose control status may change as attacks, remediation, and recovery unfold. In such environments, PCI DSS requirement applicability and control satisfaction are not fixed properties of a final assessment point, but may vary across intermediate operational states. Endpoint-oriented standards assessment can consequently fail to retain violations that arise during malware infection, lateral movement, segmentation failure, service disruption, or subsequent restoration. This paper introduces SCF-PCI, a formal and executable framework for path-sensitive PCI DSS valuation over adversarially evolving payment-system states. The framework defines a PCI valuation domain, separates requirement-check applicability from satisfaction, and assigns state-indexed valuations to each reached state. These valuations are then lifted to execution paths, whilst endpoint loss is characterised through restoration, applicability-window closure, and domain exit. SCF-PCI is implemented in OPA Rego using OSCAL-represented PCI DSS control artefacts and evaluated across representative payment-network attack scenarios involving malware infection, remote compromise, DDoS disruption, spyware-assisted fraud, and recovery paths. The results show that state-indexed valuation preserves compliance-relevant security violations that endpoint-only assessment fails to retain. The framework contributes a standards-based assurance method for network and system security analysis in adversarial payment environments.