Compliance · PCI DSS 4.0
PCI DSS website security checklist — what Scorifya covers
PCI DSS 4.0 has dozens of web-facing requirements that an external scan can produce evidence for. Scorifya doesn't replace your QSA's audit, but it does automate the public-posture checks that come up in every PCI scoping conversation: TLS protocols and ciphers, secure headers, redirect chains, and email-auth controls that affect transactional mail. This page maps Scorifya's scan checks to specific PCI DSS 4.0 requirement numbers so you can use scan output as evidence during pre-audit prep.
Scope
Scope: Scorifya scans the public surface of a hostname you submit. It does not touch CDE infrastructure, segment validation, internal vulnerability scanning, or anything authenticated. Use it as one input alongside ASV scans, internal vuln scans, and your QSA's audit.
Control mapping
Each control below references the framework requirement and lists the Scorifya scan checks that produce supporting evidence.
Requirement 4.2.1
Strong cryptography and security protocols are implemented to safeguard sensitive cardholder data during transmission over open, public networks.
Scorifya checks:
Requirement 4.2.1.1
Inventories of trusted keys and certificates used to protect PAN during transmission are maintained.
Requirement 6.4.1
For public-facing web applications: a method is in place to detect and prevent web-based attacks (WAF or vulnerability assessment).
Requirement 6.4.3
All payment page scripts loaded into the consumer's browser are managed (authorized, integrity-assured, inventoried).
Scorifya checks:
Requirement 8.3.6 / 8.3.7
Authentication factors are protected during transmission and storage; session cookies that carry auth state must be protected.
Requirement 12.10.1 (incident response)
An incident response plan is established that includes a process for vulnerability disclosure from external researchers.
Scorifya checks:
Important caveats
- An ASV (Approved Scanning Vendor) scan is still required for PCI compliance. Scorifya is not an ASV scan.
- Internal vulnerability scanning and segmentation testing remain out of scope for any external scanner, including Scorifya.
- Compliance status is determined by your QSA, not by any single tool's score.
Run a scan to produce evidence
Submit any URL you're authorized to test. The scan output (TLS posture, header coverage, DNS hygiene) is repeatable and dated, which is exactly what auditors expect for evidence of design and operating effectiveness.