What are the PCI DSS scoping requirements applicable to?

The PCI DSS scoping requirements are applicable to people, processes, and technologies because they encompass the entire ecosystem that handles credit card data. Scoping is essential for defining the boundaries of the cardholder data environment (CDE). This includes not only the technology such as networks, servers, and databases that store, process, or transmit cardholder data but also the people who manage these systems and the processes that govern how data is protected and processed.

Including people and processes in scoping ensures a comprehensive understanding of the security measures needed to protect cardholder data. It recognizes that technology alone cannot secure data without appropriately trained personnel following established security protocols. Therefore, a holistic approach is required for effective compliance with PCI DSS, making "people, processes, and technologies" the correct choice for scoping requirements.