Free · Instant · No sign-up

PCI Quick Check

Deep PCI Compliance Pre-scan with 24 Security Checks

Example: bing.com or 203.0.113.24

What gets checked

Takes about 4 minutes to complete.

1.TLS/SSL Versions

Checks for outdated/vulnerable protocols like SSL 3.0, TLS 1.0, TLS 1.1.

2.SSL Certificate

Validity, expiration, chain trust, hostname match, key size, signature algorithm.

3.Security Headers

HSTS, X-Content-Type-Options, X-Frame-Options, CSP, X-XSS-Protection, etc.

4.Insecure Server Configuration

TRACE method, server banner disclosure, directory listing, WebDAV, etc.

5.Open Ports

Scans for risky/unnecessary open ports like FTP, SSH, databases, RDP, etc.

6.Firewall Rules (Inferred)

Analyzes whether high-risk ports are properly restricted.

7.DNS Zone Transfer

Checks if AXFR zone transfers are allowed.

8.Vulnerable Software

Detects outdated versions of Apache, nginx, IIS, PHP, OpenSSL, etc. via banners.

9.Sensitive Files Exposed

Publicly accessible files like web.config, .env, wp-config.php, phpinfo.php, backups, admin panels.

10.HTTP Security Issues

Insecure cookies, mixed content, open redirects.

11.Exposed Management Interfaces

phpMyAdmin, cPanel, Plesk, Webmin, WHM, DirectAdmin, WordPress admin, Tomcat, etc.

12.Exposed API Keys

Scans page source for leaked AWS, Google, Stripe, GitHub, Slack, SendGrid, Twilio keys, and private keys.

13.Clickjacking Protection

Verifies X-Frame-Options or CSP frame-ancestors prevent your site from being framed by attackers.

14.Cookie Security

Checks Set-Cookie headers for Secure, HttpOnly, and SameSite flags required for PCI compliance.

15.Error Disclosure

Probes for verbose error pages leaking stack traces, file paths, or framework internals.

16.Cloud Storage Exposure

Probes predictable AWS S3, Google Cloud Storage, and Azure Blob URLs for publicly listable buckets.

17.OAuth/OIDC Security

Probes the OpenID Connect discovery endpoint for weak signing algorithms and missing PKCE support.

18.PII Detection

Scans homepage source for exposed credit card numbers (Luhn-validated), SSN patterns, and email harvesting risk.

19.Weak Cryptography

Detects references to MD5, SHA-1, DES, RC4, and insecure JS patterns like Math.random for tokens.

20.Admin Panel Discovery

Probes common admin paths (/admin, /wp-login, /manager, etc.) for exposed login forms that should be IP-restricted.

21.CORS Misconfiguration

Sends a crafted Origin header to see if the server reflects arbitrary origins or combines wildcard with credentials - a classic cross-site data leak.

22.WebSocket Security

Scans page references for ws:// (unencrypted) versus wss:// (TLS) WebSocket endpoints. Plain ws:// traffic is readable on the wire.

23.CSRF Token Presence

Inspects POST forms on the homepage for a hidden anti-forgery token field. Forms without tokens may allow cross-site request forgery.

24.JSON Hijacking

Samples linked JSON/API endpoints for top-level arrays without anti-hijack guards - an older but still-exploitable class of bug.

Frequently asked questions about PCI compliance

Everything you need to know about our free PCI scanner and the wider PCI DSS standard.

What is PCI compliance?

PCI compliance means meeting the Payment Card Industry Data Security Standard (PCI DSS), a set of security requirements for any business that stores, processes, or transmits credit card data. Compliance is mandated by the major card brands (Visa, Mastercard, Amex, Discover, JCB) and is typically demonstrated by completing the appropriate Self-Assessment Questionnaire and, for most merchants, passing a quarterly external vulnerability scan.

Is this PCI scan really free?

Yes. The 24-check PCI Quick Check on pciscan.org is 100% free with no sign-up. We also offer a free 40-check Windows desktop app, and paid services like an Approved Scanning Vendor (ASV) report for merchants who need a formal compliance document.

How long does the scan take?

The online scan completes 24 checks in approximately 3 minutes. The deeper Windows desktop app runs 40 checks and can take up to 10 minutes for a thorough scan.

Is PCIScan an Approved Scanning Vendor (ASV)?

The free scanner is a pre-scan and educational tool, not an ASV report. We do offer a paid ASV scan service that produces a formal report you can submit to your acquiring bank or payment gateway.

What should I do if my scan fails?

Each failed check shows exactly what was found. Fix the underlying issues (renew the certificate, close unused ports, add the missing header, etc.) and re-run the scan. If you would like hands-on help, our Diagnose & Repair service troubleshoots and fixes the issues for you with a money-back guarantee.

Can I scan any website?

You may only scan domains or IP addresses you own or are explicitly authorised to test. Unauthorised scanning may breach computer-misuse laws.