Suppose I have an ecommerce web site, hosted in Azure (or AWS). I will use a third party payment gateway that is fully certified as PCI level 1. All communication is done with TLS 1.1 or better.
Scenario A: During checkout, a page is presented that asks the user for his details, including credit card. This browser form is served from my server in Azure. When the user hits PAY, using JavaScript we send the card details to the third party gateway to process the payment and wait for the response. At no time are the credit card details sent to my server in Azure.
Scenario B: Instead of serving a credit card form from my site, instead we use the third party gateway's hosted payment page. That means we do a redirect to the gateway's site, where the user enters the card details, and then the browser redirects back to my payment complete page.
Scenario C: Sort of a hybrid, we display the hosted payment page from the gateway in an iframe inside a page served from my server in Azure.
Questions:
In these three scenarios, is there a difference in PCI scope for the server running in Azure? What is the scope? Does our Azure infrastructure need to undergo an annual audit?
Does it make a difference if I am a merchant myself (so the third party gateway is using my merchant account on my behalf) vs a gateway that processes transactions with their own merchant account, and then reimburses me later.
I'm led to believe there is a difference in PCI scope between these scenarios, but I can't really see why. If the Azure server is compromised, an attacker could serve malicious pages and capture the user's card regardless of which approach is used.
I see ecommerce sites using scenario A all the time, but I'm quite sure very few of them are running in PCI compliant environments.