Cloudflare Docs
Cloudflare Fundamentals
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Scan server for PCI compliance

PCI scanners are tools used to identify security weaknesses. When a business undergoes a compliance audit, PCI scan results are used for compliance verification.

​​ Initiate a scan

  1. Identify which server your scan should target. Are you scanning against your origin server, where your applications are hosted, or at a proxy server sitting in front of your origin, such as Cloudflare?

  2. On your scanner tool, enter a public URL or an IP address. If you enter a public website URL, the scanner will resolve the hostname and scan the resulting the IP address. To scan your origin server, be sure to enter your origin server’s IP address or a hostname that resolves to the origin server’s IP, not a proxy server.

  3. Start the scan and analyze the results.

  4. (Optional) Run another scan for a different origin server.

​​ Open ports versus blocked traffic

There is a difference between open ports and blocked traffic. Due to the nature of how Cloudflare’s Anycast network works, ports other than 80 and 443 are always open so that Cloudflare can serve traffic for other customers on these ports. However, customers can easily block all unwanted traffic to these ports by using Cloudflare WAF Managed Rules or custom rules. The PCI scan will show the ports being open, but the traffic would not reach your origin server. This is an often misunderstood concern.

​​ Additional resources

You can find all our public compliance resources in the following pages:

If you have a Pro, Business, or Enterprise plan, you can access Compliance documents in the Cloudflare dashboard by selecting your account where you are a Super Administrator and then navigating to Support > Compliance Documents.