Where should system components that store cardholder data be placed in relation to network zones?

• A. System components that store cardholder data should be placed in an internal network zone segregated from the DMZ and other untrusted networks.
• B. They should be placed in the DMZ.
• C. They should be publicly accessible.
• D. They should be placed on mobile devices.

Answer: (A)

Keeping cardholder data safe relies on strong network segmentation. System components that store cardholder data belong in an internal, restricted cardholder data environment that is isolated from less-trusted parts of the network. Placing them in an internal zone separated from the DMZ and other untrusted networks creates a protective barrier: even if the outer network is breached, access to stored data remains tightly controlled. The DMZ is meant for systems that must be reachable from the internet and does not serve as a storage area for sensitive cardholder data. Publicly accessible systems and mobile devices introduce too many exposure paths and weaken protections. In short, store cardholder data in an internal, isolated network zone to minimize exposure and support proper access controls and monitoring.