True or False: If a system component does NOT process or transmit CHD/SAD, it is out-of-scope for PCI?

The statement is true because, in the context of the Payment Card Industry Data Security Standard (PCI DSS), a system component that does not handle Cardholder Data (CHD) or Sensitive Authentication Data (SAD) is considered out-of-scope for PCI compliance. The PCI DSS framework is specifically designed to protect environments that process, store, or transmit this sensitive data.

If a system component does not engage in any of these activities, it does not need to meet the extensive requirements laid out in the PCI DSS, which are aimed at safeguarding CHD and SAD. This delineation helps organizations streamline their compliance efforts by focusing only on systems that truly process sensitive cardholder information, thus reducing the complexity and scope of their security assessments.

The other options suggest different scenarios where components might still be considered in-scope, but those would typically involve situations where there are indirect connections to the cardholder data environment or additional regulatory requirements, which are outside the straightforward interpretation of this aspect of the PCI DSS.