The PCI DSS standards apply to all entities that process, store or transmit cardholder data. This includes all merchants and service providers with external-facing IP addresses that touch the credit card acceptance. Even if your website does not offer website based transactions you (for example, you link to a payment gateway) there are other services that make systems Internet accessible. Basic functions such as e-mail and employee internet access will result in the internet accessibility of a company’s network. These seemingly insignificant paths to and from the internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.