Frequently Asked Question

Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

A provider of third-party scripts is not considered a third-party service provider (TPSP) for PCI DSS Requirements 12.8 and 12.9 as part of an entity’s assessment of the entity’s e-commerce environment, if the entity confirms that:

The provider’s only service is providing scripts not related to payment processing, and
The provider’s scripts cannot impact the security of cardholder data and/or sensitive authentication data.

Refer to the following FAQ:

FAQ 1588: How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?

March 2025

Article Number: 1592

Frequently Asked Question

Frequently Asked Question

Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2024 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.

Frequently Asked Question

Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

Related

Featured FAQ Articles

Featured

Most Popular

Most Recently Updated

Copyright © 2006 – 2024 PCI Security Standards Council, LLC. All rights reserved. Terms and Conditions.