Regarding PCI DSS compliance, i’m often asked as a PCI QSA what is the cardholder environment? In essence, people are wanting to know what is in scope and how do you determine scope. To be honest, it is not at all a clear black and white answer; so many variables come into play, the biggest being the growth of outsourced third party providers, such as managed service providers, data centers/co-location entities, among others.
As for the entities and organizations that are in scope, it is essentially any organization that is directly involved in the processing, storage, or transmission of transaction data or cardholder data.
Regarding the actual cardholder data itself, think of any systems that support the transaction or storage of carholder data. Any “system components” that cardholder data travels across or any “system component” where cardholder data resides is in scope.
One can quickly see how other third party providers can very easily be brought into the scope of the audit. Talk to your Qualified Security Assessor (QSA) as he or she should have the knowledge to know what is in scope regarding the organizations involved in the process and what the actual “system components” are for the cardholder environment.