From my understanding, web servers should be considered as part of the cardholder environment as they are transmitting cardholder data hence they are in the PCI audit scope.

Suppose the web servers resides on the DMZ, alongside with other servers that are not 'supposed' to be part of the cardholder environment, do we have to include those servers in the PCI audit scope as well?

Question is these servers are all meant to be public-facing which is why they are placed in the DMZ. Is there a need to further separate the DMZ into 2 segments, the cardholder environment and non-cardholder environment?

Please advise, thanks!

Suppose the web servers resides on the DMZ, alongside with other servers that are not 'supposed' to be part of the cardholder environment, do we have to include those servers in the PCI audit scope as well?

Question is these servers are all meant to be public-facing which is why they are placed in the DMZ. Is there a need to further separate the DMZ into 2 segments, the cardholder environment and non-cardholder environment.

The key here is how the DMZ is configured.


Are the servers all in the same network segment (i.e., they all have the same IP addressing structure such as 192.168.x.x)?

Can the servers communicate between one another?

If the servers are running Windows, are these servers part of the same domain?


If you answered Yes to the first two questions for any environment and Yes to the third question for Windows environments, then the DMZ is not segmented and all of the servers are in scope.