What assets are considered in scope for PCI scans using Control Compliance Suite Vulnerability Manager (CCS-VM)
The PCI-DSS security requirements apply to all system components. In the context of PCI DSS, a “system component” is defined as any network component, server, or application that is included in or connected to the card holder data environment. System components also include any virtual components such as virtual machines, switches/routers, appliances, applications/desktops, and hypervisors.
The cardholders data environment includes people, processes, and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to, Web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom programs deployed internally within the network or externally, such as Internet applications.
For current information on PCI auditing requirments, including requirments based on business model check https://www.pcisecuritystandards.org/
It is recommended that you consult a qualified security assessor (QSA) to determine which assets are in scope and how your network can be segmented to be more secure and shrink your PCI footprint.