How to pass PCI compliance scans

In this article we’ll discuss PCI compliance requirements, explain what is PCI compliance, and give some steps to pass a PCI scan. PCI DSS stands for Payment Card Industry Data Security Standard. The PCI DSS was created back in 2004 by the four major credit card companies American Express, Discover, MasterCard, and Visa to help ensure that consumer payment card data is being transmitted and stored securely on the Internet.

PCI compliance requirements

If you have a website where you will be taking credit card numbers directly from your visitors, it’s typically required to pass PCI scans before your site can be given a seal of approval for adhering to the PCI DSS. A PCI vendor will do a series of PCI scans on your website and provide you with a PCI scan report usually in PDF format that should include an actionable list of failures, and possible solutions.

Passing a PCI compliant scan attempt will generally require changing some default settings on your server to be more secure before they proceed with the scan. Some of the most common things that will need to be done will be closing ports at the firewall, and ensuring that you’re using up to date software.

Staying PCI compliant

PCI compliance is an ongoing commitment, and most PCI vendors will require doing a new scan about once every 90 days or so to ensure that your website is staying compliant. Ensuring that your website stays PCI compliant can help keep your customers trusting you, as it shows them you’re committed to maintain orders without the risk of a security breach and theft of their vital data.

If you’ve already had a scan run on your website and the test failed, you can e-mail a copy to us through a ticket submitted via AMP. Our system administration department can then review the scan for you. Below are some common things that can initially cause a PCI scan to fail. Over time each of these should also link to how to handle that type of failure on your own.

You should now understand about PCI compliance and why it might be important to have for your website if you’re accepting credit cards.
InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

21 thoughts on “How to pass PCI compliance scans

  1. I am running credit cards using First Data Clover Mini device daily.  I failed the scan report several times because of the server or network that I am using right now.  It says IP Address is not strongly secured or encrypted.  What should I do to be PCI Compliant?  Do I need to adjust anything on the current server, network or router? Should I get a new modem and router?  I don’t want to spend to much time and money for the time being.  Do I really need to be PCI Compliant?  Any suggestions would help.  Thanks.

    1. If you can open a ticket with our Live Support team, they can offer advice and help on getting compliant. It is definitely necessary to be compliant if you are going to accept credit card transactions.

  2. I ran a PCI Compliance scan from a computer on the network.  It failed and gave me a list of things to resolve.  My question is, did the scan run against the web server, which is not a part of the network, or did it run against the network servers/firewall?  We have a pretty tight network setup and I don’t want to start making a bunch of changes if I don’t need to.

     

    1. Hello Sally,

      Thanks for your question about the PCI compliance scan. If you’re running a scan on a web server, then it’s running on that server -it would not be running on a server dedicated for security purposes.

      I hope that helps to answer your question! If you require further assistance, please let us know!

      Regards,
      Arnel C.

  3. Sadly, that’s the typical response from other hosting sites as well. Makes things very frustrating as so much of the questionaire is about data center things that the person filling out the questionaire will have no clue how to answer. This is my main beef with PCI. The questionaire is written as if everyone runs their own data center, and hosting providers fail to provide any details on how to respond to the numerous questions. 

    1. I’d suggest reaching out to your hosting provider and ask the specific questions you need answers for. They can help with all the answers you need and it’s important you answer them to the best of your abilities. PCI compliance has to extend its reach to more than just your server and ultimately, it’s for your protection as well as your customers.

  4. Hi, I have to submit a PCI DSS Self Assessment Questionare, and many of the questions pertain to the server and network. Do you have any recommndations as far as answerig or N/A? I don’t know the answers t many of the questions so any help is appreciated. I am on a VPS plan.

     

    Thank you.

    1. Just answer honestly and to the best of your knowledge. If something is truly not applicable, say so. They will let you know if they need more information or more specific details.

  5. There is a lot more ivolved with PCI than just a scan. Your data center, firewalls, etc. must all be compliant so that the self assessment questionaire can be completed. Is your data center PCI level 1 compliant? If not, then no amount of scanning will make the website PCI compliant.

    1. Hi James,

      You are right, there’s a lot to being PCI compliant than the actual server scan and your Data Center must maintain standards as well. It starts with the self- questionnaire, includes the scan, and typically requires rebuttals explaining why your current configuration is the way it is. This includes explaining backporting and why specific ports are open. It’s a vigorous process but is important.

      If you have a specific issue with PCI compliance on your account, I recommend contacting Live Support. So, they can address the specific issues.

      Let us know if you have a question, or we can help!

      Thanks!

      Tim S.

  6. Scan results read: scan may have been dynamically blocked by an IPS
    Risk: High (3)
    Port: 3391/tcp
    Protocol: tcp
    Threat ID: misc_scanblocked

    Service: 3391:TCP
    port became closed during scan

    How do I fix? is it my Firewall?

    Thanks,

    Megan

    1. Hello Megan,

      Thank you for contacting us. This could be caused by your firewall, but it is difficult to troubleshoot without additional information, or access to the server environment.

      I recommend submitting your full PCI scan result to Live Support, so they can review your specific account. If you are not hosted with us, your host should be able to assist you with this.

      Thank you,
      John-Paul

  7. We do take cc through our site.  Failing the PCI scan right now.  By default should port 80 be closed?

    Created a URL redirect from Port 80 to 443 but Scan fails if 80 remains open, which is necessary if we want the redirect to work. 

    1. Hello Charlie,

      Sorry to hear that you’re having problems with the PCI compliance. As per our documentation, if you have completed a PCI test and it’s failing, then the best step is to contact our technical support staff ([email protected]). You should provide a copy of the report so that they can review it. Port 80 is not typically closed.

      I hope this helps with publishing the next Let us know if you require further assistance.

      Regards,
      Arnel C.

Was this article helpful? Join the conversation!