What assets are considered in scope for PCI scans using Control Compliance Suite Vulnerability Manager (CCS-VM)
The PCI-DSS security requirements apply to all system components. In the context of PCI DSS, a “system component” is defined as any network component, server, or application that is included in or connected to the card holder data environment. System components also include any virtual components such as virtual machines, switches/routers, appliances, applications/desktops, and hypervisors.
The cardholders data environment includes people, processes, and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to, Web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom programs deployed internally within the network or externally, such as Internet applications.