PCI Scan Blocked by Firewall
Bottom Line Up Front
If your payment processor just sent you a PCI compliance questionnaire and you’re staring at it wondering what “quarterly ASV scans” and “network segmentation” mean — relax. For most small businesses, PCI compliance is simpler than you think. Yes, you need to complete it to keep accepting credit cards, and yes, that includes dealing with terms like “PCI scan blocked firewall.” But the actual process? It’s mostly filling out a questionnaire and running quarterly security scans on your network. Here’s what you actually need to know to get compliant and stay that way.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules created by the major card brands — Visa, Mastercard, American Express, Discover, and JCB. They formed the PCI Security Standards Council to manage these standards, but it’s your payment processor or acquiring bank who actually enforces them.
Think of it this way: the card brands want to make sure anyone handling credit card data keeps it secure. So they created these rules, and your payment processor makes sure you follow them. If you accept credit cards in any form — whether through a terminal, online, or over the phone — these rules apply to you.
The consequences of non-compliance are real but manageable. Your payment processor can fine you (usually starting at $5,000-$10,000 per month), you’re liable for costs if there’s a breach, and in extreme cases, you could lose the ability to accept credit cards. The good news? Most small businesses qualify for the simplest compliance requirements, and meeting them is straightforward once you know what to do.
Do You Need to Be PCI Compliant?
Simple answer: if you accept credit cards in any form, yes. It doesn’t matter if you’re a corner store with one terminal or an online shop processing thousands of transactions. If credit card numbers touch your business in any way, PCI compliance applies.
Most small businesses are Level 4 merchants — processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. This is good news because Level 4 merchants have the simplest compliance requirements: complete a Self-Assessment Questionnaire (SAQ) annually and run quarterly vulnerability scans.
What your payment processor expects: They’ll send you a compliance questionnaire (that’s probably why you’re reading this), expect you to complete it annually, and want to see passing vulnerability scans every quarter. Some processors charge a monthly non-compliance fee until you submit everything.
That questionnaire they sent you is your gateway to compliance. It’s asking you to confirm which SAQ type applies to your business and then complete it. Think of it as a security checklist tailored to how you accept payments.
Which SAQ Do You Need?
The SAQ you need depends entirely on how you accept and process credit card payments. Here’s the decision tree in plain language:
If you use a payment terminal (Square, Clover, standalone credit card machine):
- Terminal connects via phone line or ethernet → SAQ B (about 40 questions)
- Terminal connects via your computer network or Wi-Fi → SAQ B-IP (about 80 questions)
If you have an e-commerce site:
- Customers redirected to a hosted payment page (PayPal, Square, Stripe Checkout) → SAQ A (about 20 questions)
- Payment form embedded on your site but card data goes directly to processor → SAQ A-EP (about 190 questions)
If you take card payments over the phone:
- Using a virtual terminal from your processor → SAQ C-VT (about 80 questions)
- Typing card numbers into your own system → SAQ C or SAQ D
If you store card numbers anywhere (spreadsheets, customer database, anywhere):
- You need SAQ D (over 300 questions) — and you should seriously consider stopping this practice
| Payment Scenario | SAQ Type | Questions | Complexity |
|---|---|---|---|
| Redirect to PayPal/Stripe | SAQ A | ~20 | Simple |
| Square/Clover terminal (phone line) | SAQ B | ~40 | Simple |
| Terminal on your network | SAQ B-IP | ~80 | Moderate |
| Phone orders via virtual terminal | SAQ C-VT | ~80 | Moderate |
| Embedded payment form | SAQ A-EP | ~190 | Complex |
| Store card numbers | SAQ D | 300+ | Very Complex |
Not sure which one? PCICompliance.com’s free SAQ Wizard asks you a few simple questions about how you accept payments and tells you exactly which SAQ applies to your business.
How to Complete Your SAQ
Your SAQ is essentially a security checklist with yes/no questions. Each question asks about a specific security practice, and “yes” means you’re doing it. Here’s what the process looks like:
What the questionnaire looks like: Each question addresses a security control. For example, “Do you change default passwords on payment terminals?” or “Is your payment page served over HTTPS?” Most questions are straightforward — either you’re doing something or you’re not.
How long it takes:
- SAQ A: 30-60 minutes
- SAQ B/B-IP: 1-2 hours
- SAQ C-VT: 2-3 hours
- SAQ D: Multiple days with IT involvement
Documentation you’ll need:
- Your network diagram (for B-IP and higher)
- Security policies (can be simple for small merchants)
- Evidence of quarterly scans
- List of payment applications you use
The quarterly ASV scan is required for most SAQ types. An Approved Scanning Vendor runs an automated security scan of your external-facing systems (websites, email servers, etc.) looking for vulnerabilities. It’s like a safety inspection for your internet presence. Schedule it quarterly, fix any critical issues found, and keep the passing scan reports.
Submitting your completed SAQ: Once you’ve answered all questions and have passing scans, you’ll generate an Attestation of Compliance (AOC). This is your official compliance certificate. Submit it to your payment processor through their compliance portal or the platform they’ve designated.
What It Costs
Let’s talk real numbers for PCI compliance costs:
Compliance platform and SAQ tools:
- Basic SAQ completion tools: $100-300/year
- Full compliance platforms with scanning: $300-1,000/year
- Enterprise solutions: $2,000+/year
Quarterly ASV scanning:
- Standalone ASV service: $200-400/year (four scans)
- Often included with compliance platforms
- Re-scans after fixing issues: typically free
If you need a QSA:
- Only required for Level 1 merchants or if your processor demands it
- QSA-assisted SAQ: $1,500-5,000
- Full ROC assessment: $15,000-50,000+
The cost of NON-compliance:
- Monthly processor fines: $5,000-25,000
- Breach costs: $50-90 per compromised card
- Forensic investigation: $20,000 minimum
- Lost ability to process cards: priceless
Honest assessment: For most small merchants, annual compliance costs less than a single month’s non-compliance fine. Budget $500-1,000 annually for tools and scanning — consider it insurance for your ability to accept credit cards.
Staying Compliant Year-Round
PCI compliance isn’t a one-time thing — it’s an annual requirement with quarterly checkpoints. Your processor will ask for updated compliance validation every year, and those ASV scans need to happen every three months.
Setting up reminders:
- Annual SAQ due date (usually anniversary of last submission)
- Quarterly scan windows (every 90 days)
- Security update schedules for payment systems
- Password change reminders
What changes trigger a new assessment:
- Switching payment processors or methods
- Adding new payment channels (going from in-store to online)
- Significant network changes
- Starting to store card data (please don’t)
Tracking compliance doesn’t have to be complex. PCICompliance.com’s compliance dashboard shows your current status, upcoming deadlines, scan results, and what needs attention. Set it and forget it — we’ll remind you when action’s needed.
FAQ
Q: I’m just a small business. Do I really need to do all this?
A: If you accept credit cards, yes — but “all this” is probably simpler than you think. Most small businesses complete SAQ A or B in under an hour annually, plus quarterly scans that run automatically.
Q: What happens if I ignore the compliance questionnaire?
A: Your payment processor will likely start charging monthly non-compliance fees ($20-100/month is common). Eventually, they can terminate your merchant account, meaning you can’t accept credit cards.
Q: My firewall blocks the PCI scan. What do I do?
A: This is normal — firewalls are supposed to block unauthorized scanning. Contact your IT provider to temporarily allow the ASV’s IP addresses, or use PCICompliance.com’s scan scheduling tool that coordinates with common firewall providers.
Q: Can I just say “yes” to all the questions?
A: Absolutely not. False attestation is fraud and makes you fully liable for any breach. Answer honestly — if you can’t say “yes” to something, fix it or work with your QSA on compensating controls.
Q: How do I know which SAQ type I need?
A: Look at how you accept payments. Online with redirect to processor? SAQ A. Standalone terminal? SAQ B. When in doubt, use PCICompliance.com’s free SAQ Wizard or ask your payment processor.
Q: What’s an ASV scan and why do I need it quarterly?
A: An Approved Scanning Vendor checks your internet-facing systems for security vulnerabilities every 90 days. It’s like a security health checkup that catches problems before criminals do.
Q: Do I need to hire a QSA?
A: Most small merchants don’t. Level 4 merchants (under 20,000 e-commerce transactions annually) can self-assess using an SAQ. Only Level 1 merchants or those specifically required by their processor need a QSA-led assessment.
Q: Is PCI compliance the same as being secure?
A: PCI compliance is a security baseline, not complete protection. Think of it as locking your doors and windows — necessary but not sufficient. Good security goes beyond PCI requirements.
Conclusion
That PCI compliance questionnaire from your payment processor might seem overwhelming, but now you know what it’s really asking: verification that you’re following basic security practices when handling credit card data. For most small businesses, it’s an annual questionnaire and quarterly security scans — probably simpler than your business tax returns.
The key steps: Determine which SAQ applies to your business (use the scenarios above or PCICompliance.com’s free SAQ Wizard), honestly complete the questionnaire, schedule quarterly ASV scans, and submit your attestation. Set up reminders for next year and you’re done.
PCICompliance.com gives you everything you need to achieve and maintain pci compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans (and helps when your scan gets blocked by your firewall), and our compliance dashboard tracks your progress year-round. You don’t need to become a security expert; you just need the right tools and guidance. Start with our free SAQ Wizard to identify your requirements in under five minutes, or talk to our compliance team if you need help getting started.
Remember: PCI compliance isn’t about perfection — it’s about protecting your customers’ card data and your business’s ability to accept payments. With the right approach and tools, it’s entirely manageable, even if terms like “PCI scan blocked firewall” initially sound like a foreign language. You’ve got this.
