Externally hosted resources can be compromised or even be designed to be hostile to your business. If they are included on your payments page, attackers can compromise shopper information including cardholder data. Adyen notes that there are a number of high profile cases in the news, impacting millions of shoppers in some cases.
Using external resources without the right compliance documentation means that your PCI DSS scope reduction is no longer applicable for HPP, CSE or certain Checkout integrations. PCI DSS does not allow third-party services to be used in the payment process unless they are a certified PCI DSS Level 1 or 2 Service Provider. Adyen also requires all third-party service providers to be reported in your SAQ and to be registered with Visa.
Things to look out for on your payments page:
• Analytics tools
• Automatic translation services
• Chat tools
• Tag managers
• Fonts provided from other systems or third parties
You can use these services elsewhere on your site and shopping cart, but not on your payments page due to the risks to cardholder data.
There are some safer ways to provide some of these facilities. Read more on that here.
The responsibility of maintaining compliance and security of your payments page remains with you.