In the same vein of the SAQ A versus SAQ A-EP considerations, like is your web hoster a service provider for SAQ-A and “Does an SAQ-A merchant need ASV scans?”.
If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x? You will not find a direct unequivocal answer to that question in many spots.
One spot you WILL find a direct answer is way back in the February 2014 edition of the Assessor Newsletter. The question was featured as the FAQ of the month!
The new guidance mentioned in that FAQ is Information Supplement • Best Practices for Securing E-commerce • April 2017.
And the direct answer is YES with mention of the risk of a website redirection attack.
And it turns out FAQ 1332 has the answer as well.
Ad below this line:
