How to pass PCI compliance scans
In this article we'll discuss PCI compliance requirements, explain what is PCI compliance, and give some steps to pass a PCI scan. PCI DSS stands for Payment Card Industry Data Security Standard. The PCI DSS was created back in 2004 by the four major credit card companies American Express, Discover, MasterCard, and Visa to help ensure that consumer payment card data is being transmitted and stored securely on the Internet.
PCI compliance requirements
If you have a website where you will be taking credit card numbers directly from your visitors, it's typically required to pass PCI scans before your site can be given a seal of approval for adhering to the PCI DSS. A PCI vendor will do a series of PCI scans on your website and provide you with a PCI scan report usually in PDF format that should include an actionable list of failures, and possible solutions.
Passing a PCI compliant scan attempt will genereally require changing some default settings on your server to be more secure before they proceed with the scan. Some of the most common things that will need to be done will be closing ports at the firewall, and ensuring that you're using up to date software.
Staying PCI compliant
PCI compliance is an on-going commitment, and most PCI vendors will require doing a new scan about once every 90 days or so to ensure that your website is staying compliant. Ensuring that your website stays PCI compliant can help keep your customers trusting you, as it shows them you're committed to maintain orders without the risk of a security breach and theft of their vital data.
If you've already had a scan run on your website and the test failed, you can e-mail a copy to us at email@example.com to have our system administration department review the scan for you. Below are some of the common things that can cause a PCI scan to fail initially. Over time each of these should also link for how to handle that type of failure on your own.
- Close open ports in the firewall.
- Outdated system software (Apache, BIND, Exim, OpenSSL, PHP)
- SSL/TLS vulnerability
- FTP clear/plain text authentication.
- cPanel guestbook.cgi is present.
- Directory Indexes are on.
- /scgi-bin directory accessible.
We value your feedback!
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
new! - Enter your name and email address above and we will post your feedback in the comments on this page!
2014-05-05 11:05 am
Since am using a gateway and payment processor, do I still need to do PCI compliance test on my site?
2014-06-28 4:13 am
You only need to pass PCI compliance typically if you're handling credit cards directly on your site. If your gateway or payment processor does not require a PCI scan before giving your site a seal of approval then you shouldn't need to worry about it.
2014-09-23 4:49 pm
We do take cc through our site. Failing the PCI scan right now. By default should port 80 be closed?
Created a URL redirect from Port 80 to 443 but Scan fails if 80 remains open, which is necessary if we want the redirect to work.
2014-09-23 5:19 pm
Sorry to hear that you're having problems with the PCI compliance. As per our documentation, if you have completed a PCI test and it's failing, then the best step is to contact our technical support staff (firstname.lastname@example.org). You should provide a copy of the report so that they can review it. Port 80 is not typically closed.
I hope this helps with publishing the next Let us know if you require further assistance.