How do I check my site for PCI Compliance?

**riolas** · 2 Jun 2016, 06:24 PM

HI,

I have used QualysGuard PCI but that seems to check my hosting for PCI compliance.

How do I check my actual site for PCI compliance?

Thank you.

**kobra** · 2 Jun 2016, 09:50 PM

I believe that this is manual and involves the PCI SAQ - Self Assessment Questionnaire

**riolas** · 3 Jun 2016, 01:35 AM

Hi,

Thanks. So, there is no way to scan my site/pages to determine if it is PCI compliant?

**DrByte** · 3 Jun 2016, 03:41 AM

Originally Posted by riolas

So, there is no way to scan my site/pages to determine if it is PCI compliant?

Please explain EXACTLY what YOU think PCI compliance means.

... cuz I don't think you're thinking it means the same thing as we think it means.

What exactly is the "business problem" you think you're solving by "scanning each page for compliance"? What exactly is this compliance YOU are referring to?

**riolas** · 3 Jun 2016, 04:35 AM

Payment Card Industry Data Security Standard. Known as PCI DSS.

Our site will have an official PFI report soon at the request of Visa and before they scan our site to ensure it passes their measures, I want to scan myself ahead of time to ensure it passes and doesn't contain any 'breaches'.

I have already scanned our hosting and found possible problems there which are being fixed now but I want to know how I scan our site for possible beaches too.

Thanks.

**DrByte** · 3 Jun 2016, 08:50 PM

Originally Posted by riolas

Payment Card Industry Data Security Standard. Known as PCI DSS.

Our site will have an official PFI report soon at the request of Visa and before they scan our site to ensure it passes their measures, I want to scan myself ahead of time to ensure it passes and doesn't contain any 'breaches'.

I have already scanned our hosting and found possible problems there which are being fixed now but I want to know how I scan our site for possible beaches too.

Thanks.

If you want your own scans done independently of what your Visa service is doing, then you'll need to hire your own scanning vendor to have them do the scan for you.

(Or you could set up your own separate server, configure it with professionally-purchased software that can do scans, learn how to do the scans, and then perform those scans. Then take the courses to study what the scan results mean and how to identify "real" issues vs "false positives". But all of that will cost you a *lot* more time and money than hiring someone who's already doing it professionally. I only mention it for the sake of thoroughness. I would say 99.9% of people would never dare take this on themselves unless it were part of their profession.)

So, yes, the simple and most accurate and appropriate answer to your question is: hire someone.

**barco57** · 4 Jun 2016, 08:44 AM

I agree with the Doctor, there is no tool you can use to scan your site yourself. If you are required by your merchant account to be scanned, then get scanned...when it fails, and it will fail, fix the problems...most of which will be things that the host needs to fix, and scan again until all your left with are the false positives and submit those. Then you can ready yourself for failing every quarter, over and over and over because the scan changes constantly and the scanning vendors are at times implementing rules into the scan that don't actually have an implementation date until sometime far out in the future, like a year away. enjoy.