Where should system components that store cardholder data be placed to minimize exposure to untrusted networks?

• A. Place CHD storage components in an internal network zone segregated from the DMZ and other untrusted networks.
• B. Place CHD storage components in the DMZ for easier access from the internet.
• C. Expose CHD storage on the public internet behind a firewall.
• D. Place CHD storage in the same untrusted network as guest devices.

Answer: (A)

The key idea is to isolate sensitive data from networks that might be exposed to untrusted sources. Cardholder data should be stored in an internal network zone that is clearly segregated from the DMZ and any other untrusted networks. This minimizes the chances that a compromise on a public-facing or guest network could reach the data at rest or in transit.

Putting CHD storage in the DMZ would make it reachable from the internet, increasing exposure and risk. Exposing CHD on the public internet behind a firewall is still exposing the data to external threats and is not acceptable. Storing CHD in the same untrusted network as guest devices also increases risk, since those devices may be compromised and provide a path into the data. Keeping CHD in a dedicated internal zone with strict access controls and limited network pathways is how you reduce exposure and align with secure network design principles.