How to Define “Connected Systems” to the PCI Cardholder Data Environment (CDE)

While the Payment Card Industry (PCI) Data Security Standard (DSS) arguably does a better job than most standards in defining scope, there is one part of the DSS that needs to be clarified. The DSS determines scope in terms of “system components,” which it defines as follows.

The PCI DSS security requirements apply to all system components. In the context of PCI DSS, “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment. “System components” also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. (emphasis mine)   

Thus, a “system component” is part of the cardholder data environment (CDE) if either of the following conditions are met:  

(1) the system component stores, processes, or transmits cardholder data, or

(2) the system component is “connected” to another system component that does satisfy condition (1).

The DSS does not explicitly what condition (2) means, however. The purpose of this post is to fill that gap by interpreting (2). 


  1. Lance Dec 6, 2010 at 4:01 pm | Permalink

    I am not sure I would consider the web application scanner to be included. You should be scanning the web application coming in from the internet to simulate a customer / visitor. This makes this system no more “connected” than any other visitor to your site.

  2. matthew Dec 8, 2010 at 7:15 am | Permalink

    VLAN seperation is not by itself sufficient segmentation. Strong VLAN access control lists and preferrably a stateful firewall separating the VLANs are required to meet the expectations of the PCI DSS. Refer to the Scope and Network Segmention section of the published PCI DSS for the full explanation that supports this requirement.

  3. greystoke Nov 24, 2011 at 10:53 am | Permalink

    Are PCs on a LAN which contains servers with CCD considered ‘system components’, i feel they should but the glossary definitions dont support it.

  4. David M. Zendzian Dec 9, 2011 at 11:06 am | Permalink

    I would add a 3rd point to your list; non-security connections…

    A SQL client doing a backup or sync of databases, a data-transfer that may not include CHD but is still connecting and communicating with the CHE, monitoring systems that increasingly have the ability to run “root” commands to auto-correct problems, …

    There are lots of other connections that are home-grown based on the application and environment that still provide connections.

    I have always looked at connected systems as a system that has a connection 🙂 At a simplest layer UDP is stateless and does not have a “connection” although it is possible to tunnel connections through UDP so a proper evaluation should be done on the communication happening and determine if it is actually a connection or just a burst of information (snmp trap). Also, risk should be considered when looking.

    The connection clause has caused me endless arguments and I look forward to one day it being clarified better by the SSC.

Post a Comment

Your email is never published nor shared. Required fields are marked *