Disable FTP for PCI: Why Your ASV Scan Is Failing and How to Fix It
The Quick Fix You Need
Your quarterly ASV scan just failed because FTP is enabled on your server. This is one of the most common PCI compliance failures, and the good news is that fixing it is straightforward. To disable FTP PCI compliance issues, you need to turn off FTP services completely or replace them with secure alternatives like SFTP or FTPS. Here’s exactly what you need to know and do.
What Is PCI Compliance (In Plain English)
PCI compliance isn’t as complicated as it sounds. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that apply to anyone who accepts credit card payments. Think of it as a security checklist designed to protect your customers’ card data — and protect you from the massive liability that comes with a data breach.
The major card brands (Visa, Mastercard, American Express, and Discover) created these standards through the PCI Security Standards Council (PCI SSC). But they don’t enforce compliance directly — your payment processor or acquiring bank does. That’s who sent you the compliance questionnaire you’re looking at right now.
What happens if you don’t comply? Your payment processor can fine you (typically $5,000-$100,000 per month of non-compliance), you become liable for any fraud losses from a breach, and ultimately, they can terminate your ability to accept credit cards. That’s the stick. The carrot is that compliance actually makes your business more secure and reduces your risk.
Here’s the good news that compliance companies don’t always tell you: most small businesses qualify for the simplest compliance requirements. If you’re using modern payment systems and following basic security practices, you’re probably already doing 90% of what’s required.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form — in person, online, over the phone, or through the mail — yes, you need to be PCI compliant.
Your merchant level determines how much documentation you need to provide. For most small businesses processing less than 1 million transactions per year, you’re a Level 4 merchant. That means you complete a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive QSA for a full Report on Compliance (ROC).
Your payment processor expects you to complete an annual self-assessment, pass quarterly vulnerability scans if you have any internet-facing systems, and submit an Attestation of Compliance (AOC) that says you’ve done both. That questionnaire they sent you? It’s their way of collecting this documentation.
Which SAQ Do You Need?
The SAQ isn’t one-size-fits-all. There are different versions based on how you accept payments:
| How You Accept Payments | Your SAQ Type | Number of Questions | Complexity |
|---|---|---|---|
| Redirect to payment page (PayPal, Stripe Checkout) | SAQ A | 22 | Easiest |
| E-commerce with payment fields on your site | SAQ A-EP | 191 | Moderate |
| Standalone terminals only (Square, Clover) | SAQ B | 41 | Easy |
| Terminals on your network | SAQ B-IP | 93 | Moderate |
| Phone/mail orders only | SAQ C-VT | 85 | Moderate |
| Everything else (storing cards, custom systems) | SAQ D | 339 | Complex |
If you’re using Shopify with their checkout, you’re likely SAQ A. Running a restaurant with a Square terminal that’s not connected to your network? That’s SAQ B. Taking orders over the phone and entering them into a virtual terminal? You’re looking at SAQ C-VT.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks a few simple questions about your payment setup and tells you exactly which questionnaire you need — no guessing required.
How to Complete Your SAQ
The questionnaire itself is a series of yes/no questions about your security practices. When you answer “yes,” you’re stating that you’ve implemented that specific security control. Here’s what the process looks like:
Step 1: Gather Your Information
You’ll need to know how you process payments, what systems touch card data, and basic information about your network setup. Don’t worry — for most small businesses, this is simpler than it sounds.
Step 2: Answer the Questions
Read each question carefully. If you’re SAQ A (redirect to a hosted payment page), you’ll answer questions like “Do you redirect all cardholder data to a PCI DSS validated third-party payment processor?” For most questions, the answer should be yes if you’re following standard practices.
Step 3: Complete Your Vulnerability Scan
If your SAQ type requires it (any business with internet-facing systems), you’ll need to pass a quarterly ASV scan. This automated scan checks your public-facing systems for vulnerabilities. Common failures include having FTP enabled, using outdated SSL/TLS versions, or running unpatched software.
Step 4: Submit Your Documentation
Once you’ve completed the SAQ and passed your scan (if required), you’ll sign the Attestation of Compliance and submit it to your payment processor. Keep copies for your records — you’ll need them next year.
The entire process typically takes 2-4 hours for simple SAQ types, or 1-2 days for more complex ones. The quarterly scans run automatically once configured and take about 30 minutes to review results.
What It Costs
Let’s talk real numbers. PCI compliance costs vary based on your complexity:
For Most Small Businesses (SAQ A, B, C-VT):
- Compliance platform with SAQ tools: $200-500/year
- Quarterly ASV scanning (if required): $200-400/year
- Total annual cost: $400-900
For Complex Environments (SAQ D):
- Compliance platform: $500-2,000/year
- Quarterly ASV scanning: $400-800/year
- Potential QSA assessment: $15,000-50,000
- Total annual cost: $900-52,800
The Cost of Non-Compliance:
- Monthly fines from processor: $5,000-100,000
- Breach liability: $50-90 per compromised card
- Forensic investigation: $10,000-100,000
- Lost ability to process cards: Priceless
Put simply: annual compliance for most merchants costs less than a single month’s non-compliance fine. It’s not just about avoiding penalties — it’s about protecting your business from catastrophic loss.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. It’s an annual requirement with quarterly milestones. Here’s how to stay on track:
Set Up Your Compliance Calendar
- Annual SAQ due date (usually your anniversary date with your processor)
- Quarterly ASV scan windows (every 90 days)
- Security update reminders
- Employee training refreshers
Monitor for Changes
Certain changes require immediate attention:
- Adding new payment channels
- Changing payment processors
- Implementing new payment software
- Major network changes
Use Compliance Tracking Tools
Manual tracking leads to missed deadlines. PCICompliance.com’s compliance dashboard automatically tracks your SAQ status, schedules your ASV scans, alerts you to upcoming deadlines, and maintains your compliance history. One dashboard, no spreadsheets, no missed deadlines.
Document Everything
Keep copies of completed SAQs, passed ASV scans, remediation efforts, and security policies. When your processor asks for proof of compliance (and they will), you’ll have everything ready.
FAQ
Q: I only process 5-10 transactions per month. Do I really need to be PCI compliant?
A: Yes. PCI DSS applies to any business that accepts credit cards, regardless of volume. The good news is that with such low volume, you likely qualify for the simplest SAQ types.
Q: What’s the difference between PCI compliant and PCI certified?
A: Merchants become PCI compliant by meeting the standard’s requirements. Only service providers and solutions can be “certified” by a QSA. As a merchant, you’re working toward compliance, not certification.
Q: My payment processor says I need to disable FTP. What does that mean?
A: FTP (File Transfer Protocol) transmits data unencrypted, making it a security risk. Your ASV scan will fail if FTP is enabled on any internet-facing system. Replace it with SFTP or FTPS, or disable it entirely if you don’t need file transfer capabilities.
Q: Can I just ignore the compliance questionnaire?
A: Technically yes, but it’s a expensive mistake. Your processor will start charging non-compliance fees, you’ll be liable for any fraud losses, and they can eventually terminate your merchant account. The time to complete an SAQ is far less than dealing with the consequences.
Q: Do I need to hire a QSA?
A: Only Level 1 merchants (processing over 6 million transactions annually) require a QSA assessment. Most small businesses can self-assess using the appropriate SAQ. If you’re unsure, your payment processor will tell you exactly what’s required.
Q: How do I know if I’m storing credit card data?
A: Search your systems for 16-digit numbers, check your databases, review your email for card numbers, and examine any paper records. If you find card data, stop storing it immediately and consider moving to SAQ D requirements. Tokenization or encryption may help reduce scope.
Q: What if I fail my ASV scan?
A: Don’t panic. Review the failure reasons (usually outdated software, insecure protocols like FTP, or missing patches), fix the issues, and request a rescan. You have time to remediate and pass before your compliance deadline. Most scan failures are fixable within a few hours.
Q: Is PCI compliance actually enforced?
A: Absolutely. Payment processors actively monitor compliance status and issue fines for non-compliance. Following a breach, forensic investigators check PCI compliance first. Non-compliant merchants face massive liability, while compliant merchants have protection through safe harbor provisions.
Moving Forward with Confidence
PCI compliance might seem overwhelming when that first questionnaire arrives, but it’s genuinely manageable for most businesses. The key is understanding which requirements apply to you and having the right tools to maintain compliance.
Start by identifying your SAQ type — this single step eliminates 90% of the confusion. Use modern payment methods that minimize your PCI scope. Complete your quarterly scans on time. Keep good documentation. That’s really all there is to it for most merchants.
PCICompliance.com simplifies this entire process. Our free SAQ Wizard identifies exactly which questionnaire you need in under two minutes. Our ASV scanning service handles your quarterly vulnerability scans automatically. Our compliance dashboard tracks every requirement, deadline, and document in one place. Whether you’re completing your first SAQ or managing compliance across multiple locations, we provide the tools and guidance to achieve and maintain PCI compliance without the complexity. Start with our free SAQ Wizard to see exactly what’s required for your business, or contact our compliance team for a personalized walkthrough of your requirements.
