Yes. The merchant web server must be included in scope so the assessor can examine its configuration and verify the redirection mechanism used. Once verified, the applicable requirements will then …
Merchants and service providers should always consult with their acquirer (merchant bank) or payment brand directly, as applicable, to confirm their PCI DSS validation and reporting method (e.g. whether to …