PCI Scan Timeout Fix
You just received a questionnaire from your payment processor asking about PCI compliance, and now you’re searching for answers about PCI scan timeout issues. Take a deep breath — for most small businesses, PCI compliance is much simpler than it sounds. If your vulnerability scan is timing out or you’re confused about what these scans even are, this guide will walk you through everything you need to know in plain English.
What Is PCI Compliance (In Plain English)
PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that apply to anyone who accepts credit card payments. Think of it as a security checklist created by the major card brands — Visa, Mastercard, American Express, and Discover — to protect customer card data.
The card brands created these standards through an organization called the PCI Security Standards Council (PCI SSC). But here’s the important part: your payment processor or acquiring bank is who actually enforces these rules. That’s why they sent you that compliance questionnaire.
If you don’t comply with PCI standards, the consequences are real but manageable:
- Your payment processor can fine you (typically $5,000-$100,000 per month for non-compliance)
- You’re liable for fraud losses if card data gets stolen
- In extreme cases, you could lose the ability to accept credit cards
The good news? Most small businesses qualify for the simplest compliance requirements. You don’t need a team of security experts — you just need to answer some questions honestly and fix any basic security issues.
Do You Need to Be PCI Compliant?
Simple answer: If you accept credit cards in any form, yes. It doesn’t matter if you’re a food truck with a Square reader or an online boutique using Shopify — PCI compliance applies to you.
Your merchant level determines how much documentation you need to provide:
- Level 4 (under 20,000 transactions annually): Most small businesses fall here
- Level 3 (20,000-1 million transactions): Growing businesses
- Level 2 (1-6 million transactions): Larger operations
- Level 1 (over 6 million transactions): Enterprise merchants
Most small businesses are Level 4, which means you complete a Self-Assessment Questionnaire (SAQ) instead of hiring an expensive auditor.
That questionnaire your payment processor sent? It’s their way of verifying you’re following basic security practices. They’re required to collect this annually, and they’ll keep sending reminders (and eventually fines) until you complete it.
Which SAQ Do You Need?
The biggest source of confusion in PCI compliance is figuring out which SAQ applies to your business. There are different questionnaires based on how you accept payments:
| How You Accept Payments | Your SAQ Type | Number of Questions | Difficulty |
|---|---|---|---|
| Outsourced completely (PayPal, Square online) | SAQ A | ~20 | Easy |
| E-commerce with hosted payment page | SAQ A-EP | ~190 | Moderate |
| Physical terminal only, no storage | SAQ B | ~40 | Easy |
| Physical terminal with IP connection | SAQ B-IP | ~80 | Easy-Moderate |
| Manual entry (phone/mail orders) | SAQ C-VT | ~80 | Moderate |
| Any card storage or complex setup | SAQ D | ~320 | Complex |
Let’s make this even simpler:
If you use a payment terminal like Square, Clover, or a traditional credit card machine, you’re likely SAQ B (dial-up) or SAQ B-IP (internet-connected).
If you have an e-commerce site using Shopify Payments, WooCommerce with Stripe Checkout, or similar hosted solutions, you’re likely SAQ A or SAQ A-EP.
If you take payments over the phone and type card numbers into a virtual terminal, you’re likely SAQ C-VT.
If you store card numbers in any system (please reconsider this), you’re stuck with SAQ D — the most complex questionnaire.
Not sure which one applies? PCICompliance.com’s SAQ Wizard asks you a few simple questions about your payment setup and tells you exactly which questionnaire you need.
How to Complete Your SAQ
Your SAQ is a series of yes/no questions about your security practices. Here’s what to expect:
The questionnaire itself looks like a checklist. Each question asks about a specific security control:
- “Do you change default passwords on payment terminals?”
- “Is your payment terminal in a secure location?”
- “Do you have antivirus on computers that handle payments?”
When you answer “yes,” you’re confirming that control is in place. If you answer “no,” you’ll need to either implement that control or explain why it doesn’t apply to your business.
Documentation you might need:
- Network diagram (for more complex SAQs — a simple sketch often works)
- Security policies (basic written procedures for handling card data)
- ASV scan results (we’ll explain this next)
- Service provider attestations (if you use third-party payment services)
The quarterly ASV scan is where many merchants get stuck. An Approved Scanning Vendor runs an automated security scan of your public-facing systems (like your website) to check for vulnerabilities. If you’re seeing PCI scan timeout errors, it usually means:
- Your firewall is blocking the scan
- Your hosting provider has security rules preventing scans
- The scanner can’t reach your systems
The fix is usually simple — whitelisting the ASV’s IP addresses or working with your hosting provider to allow the scans.
Submitting your compliance package:
1. Complete all SAQ questions
2. Run and pass your ASV scan (if required)
3. Sign the Attestation of Compliance (AOC)
4. Submit everything to your payment processor
Most SAQs take 1-4 hours to complete, depending on type. The scan runs automatically and takes about 30 minutes.
What It Costs
Let’s talk real numbers for small business PCI compliance:
Compliance platforms and tools: $100-500 per year for Level 4 merchants. This typically includes:
- SAQ questionnaire platform
- Compliance tracking
- Basic support
- Remediation guidance
Quarterly ASV scanning: $200-400 per year (often bundled with compliance platforms). You need four passing scans annually.
If you need a QSA: Only required for Level 1 merchants or those with SAQ D. Budget $15,000-50,000 for a formal assessment.
The cost of NON-compliance:
- Monthly fines from your processor: $5,000-100,000
- Breach liability: Average small business breach costs $120,000
- Lost revenue from suspended card processing: Devastating
Bottom line: Annual compliance for most small merchants costs less than a single month’s non-compliance fine. It’s not an expense — it’s insurance.
Staying Compliant Year-Round
PCI compliance isn’t a one-and-done checkbox. Your processor requires annual recertification and quarterly scans. Here’s how to stay on track:
Set up your compliance calendar:
- Annual SAQ due date (usually your anniversary date with the processor)
- Quarterly ASV scans (every 90 days)
- Policy reviews (annually)
- Security awareness training (annually for staff who handle cards)
What triggers a new assessment:
- Changing payment processors
- Adding new payment channels (like adding e-commerce to retail)
- Significant network changes
- Moving to a new SAQ type
Track everything: Your compliance dashboard should show:
- Current compliance status
- Days until next deadline
- Scan history and results
- Required remediation items
PCICompliance.com’s compliance dashboard handles all this automatically, sending you reminders before deadlines and tracking your progress throughout the year.
FAQ
What’s the difference between PCI compliance and PCI certification?
There’s no such thing as “PCI certification” for merchants — you’re either compliant or non-compliant. You validate your compliance by completing your SAQ and meeting all requirements. Some service providers can become “PCI Certified” but that’s a different process entirely.
My payment processor says I’m non-compliant. What now?
First, find out what’s missing — usually it’s an incomplete SAQ or failed/missing ASV scans. Complete any missing items immediately to avoid fines. If you’re already being fined, completing your compliance requirements usually stops future fines, though past fines typically aren’t refunded.
Do I need PCI compliance if I only use PayPal/Square/Stripe?
Yes, but you qualify for the simplest SAQ types. These payment facilitators handle most of the security burden, but you still need to validate that you’re using their services correctly. It’s usually just SAQ A with about 20 questions.
What’s a PCI scan timeout and how do I fix it?
When your quarterly ASV scan can’t complete because it can’t reach your systems, it times out. Common fixes include whitelisting the scanner’s IP addresses in your firewall, asking your hosting provider to allow PCI scans, or ensuring your website is publicly accessible during scan windows.
How often do I need to run vulnerability scans?
Quarterly — four times per year, no more than 90 days apart. Each scan must pass (no high-risk vulnerabilities) to maintain compliance. If a scan fails, you fix the issues and rescan until you pass.
can I do PCI compliance myself or do I need a consultant?
Most Level 4 merchants can handle PCI compliance independently using a compliance platform. You only need a QSA consultant if you’re Level 1, have complex payment environments, or need help with remediation. Start with self-assessment — you can always bring in help later if needed.
What happens if I just ignore PCI compliance?
Your payment processor will escalate from reminders to fines (typically starting at $5,000/month). Eventually, they can terminate your merchant account, making it difficult to get approved elsewhere. Plus, you’re fully liable if card data gets compromised.
Is PCI compliance the same for online and physical stores?
The principles are the same but the requirements differ. Physical stores focus on terminal security and physical access controls. E-commerce sites deal with web application security and encryption. Your SAQ type reflects these differences — that’s why choosing the right one matters.
Conclusion
PCI compliance might seem overwhelming when that first questionnaire arrives, but it’s genuinely manageable for most small businesses. The key is understanding which requirements actually apply to you and tackling them systematically.
Remember, if you’re a typical small merchant using modern payment solutions, you’re probably looking at a few hours of work annually to maintain compliance. That’s a small investment to protect your business and your customers’ data.
PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need, our ASV scanning service handles your quarterly vulnerability scans (and helps resolve any PCI scan timeout issues), and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to see just how straightforward your compliance journey can be, or talk to our compliance team if you need guidance getting started.
