While the Payment Card Industry (PCI) Data Security Standard (DSS) arguably does a better job than most standards in defining scope, there is one part of the DSS that needs to be clarified. The DSS determines scope in terms of “system components,” which it defines as follows.
The PCI DSS security requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment. “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. (emphasis mine)
Thus, a “system component” is part of the cardholder data environment (CDE) if either of the following conditions are met:
(1) the system component stores, processes, or transmits cardholder data, or
(2) the system component is “connected” to another system component that does satisfy condition (1).
The DSS does not explicitly what condition (2) means, however. The purpose of this post is to fill that gap by interpreting (2).