Since HiConversion doesn’t process, store, or transmit credit card information, most of the compliance requirements are mitigated.
HiConversion is, however, often used on the pages in a checkout funnel where visitors are asked to enter their credit card details. Although HiConversion doesn’t transmit or process data at this point, this is a touchpoint with your visitor’s customer data. Generally, any system that could potentially be used to get to your visitors’ credit card data is within scope of PCI DSS and therefore has to adhere to the strict rules the payment industry has worked out to protect cardholder’s sensitive information.
There are two options for using HiConversion in compliance with PCI DSS.
Option 1: do not place HiConversion’s tag on the page where visitor can enter payment information.
You can deploy HiConversion’s tag on all other pages. There will be no impact on your PCI DSS compliance.
Option 2: embed a Credit Card form field through an iFrame
If you want to remove HiConversion from the scope of PCI DSS compliance completely, you can choose to add the actual form field where customers enter their credit card details onto your page through an iframe or redirect users to a payment page hosted by your payment processor. This is the case with many popular payment processors such as Stripe, Paypal or Adyen.
HiConversion code then can’t access these fields, essentially shielding it from our snippet. On the down side, you also won’t be able to change these fields and optimize them without actually making a separate version of this form available.