Has anyone worked through the reasoning that if I have a single-page application (SPA) whose HTML and JavaScript are hosted on Server X, sending credit cards to a remote API hosted on Server Y, does Server X fall under the scope of PCI?
Server Y in this scenario is PCI compliant (hosted application certified by the vendor via a 3rd party).
Server X does serve web pages over HTTPS, the SPA accesses Y's API over HTTPS, and we do make all reasonable efforts to keep X secure.
The API never returns card information, just masked "display" version of the card (ie "****" + last 4).
I've found one similar question, but the answer is over 10 years old at this point, and I know the PCI specifications do change of time.
If the credit card information never passes through Server X, as per your comments above, then server X does not need to be PCI compliant. PCI compliance only applies to software and networks that handle credit card information. Since that information is never on Server X, Server X is never within PCI scope.
Yes, Server X is in scope for PCI. If Server X is serving up the HTML/JS code that handles collection of PAN data, a vulnerability there could lead to leakage of data upon input.
If Server X was delivering HTML/JS but then the DOM was pulling in remote javascript from an external processor like Stripe to handle the UI components that collect PAN data, then Server X would not be in scope for PCI. However the organization would still be responsible for PCI self-assessment questionnaire level A -- "Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. "
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.