Do You Really Need a PCI Scan?

Posted by Joe Beahan on February 17, 2026

PCI compliance is a topic that often generates confusion - and, at times, frustration - for online merchants. PCI scans can require time, technical adjustments, and follow-up communication with the scanning provider.

They also represent a costly financial investment - something that unscrupulous PCI vendors are all too ready to take advantage of, selling you PCI scans that you might not even need!

Given this, many business owners understandably ask: is it truly necessary? The answer depends on how your website handles payment data.

Probably Not

The short and simple summary is this: Most online shops do not need to be PCI compliant!

The scope of PCI requirements is defined in the PCI Data Security Standard (PCI DSS) v4.0.1. It states that:

PCI DSS requirements apply to:

• The cardholder data environment (CDE), which is comprised of:
  • System components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data, and,
  • System components that may not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD.
  
  AND
• System components, people, and processes that could impact the security of cardholder data and/or sensitive authentication data.

In simple terms, PCI compliance applies to systems that store, process, or transmit cardholder data, or that have unrestricted connectivity to systems that do. This distinction is critical.

As for what counts as 'cardholder data', the glossary of the PCI DSS defines it as: "At a minimum, cardholder data consists of the full PAN." (i.e. the full card number, usually 16 digits embossed across the front of the card). In other words, the system has to directly handle full payment card numbers for it to count as cardholder data and be eligible for PCI requirements.

So, only if your website directly handles credit/debit card details - for example, if card fields are embedded on your checkout page and the data passes through your server to the payment gateway - your site falls within PCI scope and must be compliant.

However, if you use:

• A fully hosted, off-site payment page, or
• An embedded iframe where cardholder data is handled entirely by the payment provider

then your website does not store, process, or transmit cardholder data. In these cases, your PCI obligations are significantly reduced because your infrastructure is not part of the cardholder data environment.

Most online shops use an off-site payment page or embedded iframe payment form, which do not need PCI compliance.

Have You Been Missold PCI?

We've recently seen a lot of situations where clients are pressured to purchase PCI scanning services despite using 100% off-site payment pages! Some crafty PCI vendors will use vague threats of hackers, or fines from card issuers, to push people into spending too much money on a PCI scan that they simply don't need.

If your integration does not handle cardholder data directly, full PCI scanning of your website is almost certainly not required under PCI DSS scope guidelines!

If you're uncertain, review your payment flow carefully or consult a qualified professional to confirm whether your website needs it or not.

Choosing a Better Payment Provider

Nearly all payment providers offer off-site payment page solutions. However some, like certain underhanded PCI vendors, will enforce PCI compliance even if your integration doesn't need it!

If your payment provider requires PCI compliance even if you're using an off-site payment page, it may be worth reviewing their policies and assessing alternative options.

For example, merchants using fully hosted solutions often benefit from reduced PCI scope due to Stripe's secure, off-site handling of card data.

Some examples of payment gateways with OpenCart extensions that use off-site/embedded payment pages that do not require PCI compliance:

• Barclaycard ePDQ / Smartpay Fuse
• BluePay Redirect
• Checkout Finland
• Klarna Checkout
• Mollie Payments
• PayPal Checkout Integration
• Realex Redirect / Global Payments
• SagePay/Opayo (Server Integration)
• Stripe
• Swish Payments

When PCI Compliance Actually Is Required

If your website does directly handle cardholder data - for example, through certain on-site gateway integrations such as those offered by Opayo - then PCI compliance is mandatory.

In that case, preparation and the right technical environment make a substantial difference.

Practical Recommendations

1. Select a reputable scanning provider.

Providers such as SecurityMetrics and Qualys are generally known for clear reporting, transparent evidence of findings, and structured processes for handling false positives.

2. Use appropriate hosting infrastructure.

Shared hosting environments can limit your ability to address configuration-level PCI findings. A Virtual Private Server (VPS) provides greater control over:

• Software versions
• TLS configurations
• Server hardening
• Security patching

This control is often essential for successfully resolving scan findings.

Check out our VPS offerings to secure your website today.

3. Work with an experienced development team.

PCI remediation typically involves server configuration updates, dependency management, and security hardening. Having experienced developers on hand can significantly reduce both time to compliance and operational disruption.

Got a failing PCI report? Contact us for a quote to move your website to a secure server and get those PCI issues fixed.

So, in conclusion...

PCI scans are not universally required, but they are essential when your website directly handles cardholder data. The key is understanding whether your payment integration places your infrastructure within PCI scope.

If you are unsure about your current setup or need assistance achieving compliance on your OpenCart website, we are available to review your integration and provide guidance tailored to OpenCart.