Which of the following options is included in the PCI DSS scope?

The inclusion of any component that stores cardholder data in the PCI DSS scope is critical because these systems directly manage sensitive information related to payment card transactions. The PCI DSS is designed to protect cardholder data from breaches and unauthorized access, and as such, any system that stores, processes, or transmits such data is fundamentally part of the PCI DSS scope. Ensuring these components are secure is essential for compliance and for safeguarding sensitive customer information.

In the context of PCI DSS, components that do not interact with cardholder data, like non-financial transaction components, virtual systems not processing transactions, or systems that only provide external access without managing cardholder data, are outside the immediate requirement for PCI DSS compliance. These systems may still require attention and security measures but do not fall directly under the regulatory framework that PCI DSS governs. This focus on components that actually handle cardholder data underlines the importance of identifying and securing all systems in scope to mitigate risks effectively.