Single-Page Application, APIs, and PCI Compliance

Question

Has anyone worked through the reasoning that if I have a single-page application (SPA) whose HTML and JavaScript are hosted on Server X, sending credit cards to a remote API hosted on Server Y, does Server X fall under the scope of PCI?

Server Y in this scenario is PCI compliant (hosted application certified by the vendor via a 3rd party).

Server X does serve web pages over HTTPS, the SPA accesses Y's API over HTTPS, and we do make all reasonable efforts to keep X secure.

The API never returns card information, just masked "display" version of the card (ie "****" + last 4).

I've found one similar question, but the answer is over 10 years old at this point, and I know the PCI specifications do change of time.

Answer 1

If the credit card information never passes through Server X, as per your comments above, then server X does not need to be PCI compliant. PCI compliance only applies to software and networks that handle credit card information. Since that information is never on Server X, Server X is never within PCI scope.

Answer 2

Yes, Server X is in scope for PCI. If Server X is serving up the HTML/JS code that handles collection of PAN data, a vulnerability there could lead to leakage of data upon input.

If Server X was delivering HTML/JS but then the DOM was pulling in remote javascript from an external processor like Stripe to handle the UI components that collect PAN data, then Server X would not be in scope for PCI. However the organization would still be responsible for PCI self-assessment questionnaire level A -- "Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises. "