3rd Party Adverts, Tracking Cookies and PCI DSS v3

For version 3 of the Payment Card Industry Data Security Standard (PCI DSS) the Self-Assessment Questionnaires (SAQ) have been changed.  SAQ A now covers card-not-present merchants who have fully outsourced all cardholder data functions, and a new SAQ A-EP has been added, covering partially outsourced e-commerce merchants who use a third-party website for payment processing.

In the eligibility criteria for each of these SAQs, there are clauses covering how web content is delivered to the browser:


For e-commerce channels, the entirety of all payment pages delivered to the consumer’s browser originates directly from a third-party PCI DSS-validated service provider(s).


All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS-compliant service provider(s).

What this means

For an e-commerce merchant, whether they are completing an SAQ A or an SAQ A-EP, the website delivered to their consumers’ needs to come from PCI DSS-compliant services. Achieving this could be difficult if you are using third-party adverts and visitor tracking.

If you are an e-commerce merchant trying to use these SAQs and you have third-party adverts served on your website, these advert services must also be PCI DSS-compliant in order to achieve the eligibility criteria. If you use any analytic or tracking services on your website that use a third-party domain, then these services must also be PCI DSS-compliant in order to achieve the eligibility criteria of SAQ A and SAQ A-EP.

Failure to achieve the eligibility criteria for SAQ A or SAQ A-EP will mean having to achieve compliance by completing SAQ D, which is significantly longer and more onerous.

Book your place on the ISO27001:2013 and PCI DSS V3 – new Standards in the Global Cyber War event to find out more about PCI DSS compliance.