FAQ #1592 - Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

FAQ #1592 Published Version: 26 Mar 2025, 15:35

Are providers of third-party scripts for e-commerce environments considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?

A provider of third-party scripts is not considered a third-party service provider (TPSP) for PCI DSS Requirements 12.8 and 12.9 as part of an entity’s assessment of the entity’s e-commerce environment, if the entity confirms that:

The provider’s only service is providing scripts not related to payment processing, and
The provider’s scripts cannot impact the security of cardholder data and/or sensitive authentication data.

Refer to the following FAQ:

FAQ 1588: How does an e-commerce merchant meet the SAQ A eligibility criteria for scripts?

View all versions Back to recent changes