Many ISVs assume they're out of PCI scope because they use hosted fields or JavaScript SDKs that “keep them away” from cardholder data. But PCI applies not only to who handles the data — but to who could impact the security of it. That means ISVs are in scope, and here's why.