- Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.
- Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.
- In a flat network, all systems are in scope if any single system stores, process or transmits account data.
Scope of PCI DSS
- PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.
- The cardholder data environment is comprised of people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.
- “System components” include network devices, servers, computing devices and applications.
How to Scope
PCI DSS requirements apply to all system components include in or connected to the cardholder data environment.
The cardholder data environment (CDE) comprises people, process and technology that store, process, or transmit cardholder data or sensitive authentication data.
Examples of system components that maybe in scope include but not limited to:
- Systems providing security services, segmentation, or that impact the security of the CDE
- Virtualization components
- Network components such as firewalls, switches, routers, wireless access points, network appliance, and other security appliances.
- Servers such as Web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name system (DNS)
- Applications including internal and external (for example internet) applications.
- Any other component or device located within or connected to the CDE
•Simple Payment Setup Protocol (SPSP)
•SOAP XML Web Services
•HTTP/S POST APIs