Which of the following are examples of service providers to be included in PCI DSS oversight?

The key idea is that PCI DSS oversight applies to service providers—external entities that store, process, or transmit cardholder data on behalf of a merchant, or that could affect the security of that data. The examples given fit this because backup tape storage facilities and managed service providers (like web-hosting companies or security service providers) handle cardholder data or have access to systems that do, and those that receive data for fraud modeling would likewise process or access CHD. Because they operate outside the merchant’s own environment but can impact the protection of cardholder data, they must be included in PCI DSS oversight and subject to appropriate controls and assessments. Internal systems aren’t third-party providers and thus aren’t the external service providers PCI DSS focuses on. Social media and personal devices aren’t typically considered service providers that process CHD on behalf of the merchant for PCI DSS purposes, so they don’t fit the described category.