If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x? You will not find a direct unequivocal answer to that question in many spots. Its not in the PCI SSC FAQ (but probably should be).
One spot you WILL find a direct answer is way back in the February 2014 edition of the Assessor Newsletter. The question was featured as the FAQ of the month!
And the direct answer is YES with mention of the risk of a website redirection attack.
Ad below this line: