thePCI Portal

If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x?

In the same vein of the SAQ A versus SAQ A-EP considerations, like is your web hoster a service provider for SAQ-A and “Does an SAQ-A merchant need ASV scans?”.

If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x?  You will not find a direct unequivocal answer to that question in many spots.

One spot you WILL find a direct answer is way back in the February 2014 edition of the Assessor Newsletter.  The question was featured as the FAQ of the month!

 


 

 

 

 

And the direct answer is YES with mention of the risk of a website redirection attack.

And it turns out FAQ 1332 has the answer as well.

Ad below this line:

Leave a Reply

Your email address will not be published. Required fields are marked *