Are PCI Scans Still Required If You Use a Payment Gateway or Hosted Checkout?

After installing a payment gateway or a hosted checkout, many entrepreneurs can take a sigh of relief. It can feel like the hardest part’s over — because, after all, the provider takes care of the sensitive stuff, right? Not quite.

It is widely accepted misconception that if you’re not handling credit card data, that you no longer need to worry about PCI compliance. But the reality is more complicated — and, skipping mandated PCI scans could open you up to fines, security breaches or even losing the ability to take payments.

Using third-party payment services or a payment processor can reduce your compliance burden, but it doesn’t erase it completely. In this guide, we’ll break down when PCI scans are still required, how hosted solutions shift responsibilities, and how you can stay compliant — without getting overwhelmed. Whether you are a tech-savvy or not, you’ll walk away with clear next steps and fewer surprises.

PCI Compliance Basics Refresher

Let’s rewind for a moment. PCI DSS, or Payment Card Industry Data Security Standard, is a global set of rules meant to safeguard credit and debit card data. If card payments are processed in your shop, then PCI DSS rules apply to you, whether you’re a high street boutique or an online merchant.

One key part of compliance? PCI scans.

These are external vulnerability scans conducted by Approved Scanning Vendors (ASVs). Consider them a routine checkup for your digital storefront — they seek out any vulnerable entry points in systems that are connected to the internet and could be targeted by hackers.

These scans won’t affect you internal gear, like POS terminals behind a firewall. Instead, they focus on servers, websites, or IP addresses that are publicly available — those things that could be reached from outside your network.

So, who’s watching all this?

The big card networks — Visa, Mastercard, American Express and Discover — are the organizations that require you to adhere to PCI DSS via your payment processor. That’s because even if you use a third-party gateway or hosted checkout, you still may be required to show compliance to ensure your merchant account remains in good standing.

Understanding Payment Gateways & Hosted Checkout Pages

The ability to accept card payments is easier and often more secure when you sell online, with payment gateways and hosted checkout pages.

A payment gateway is the digital equivalent of a payment bridge. It serves as a bridge between your website or point-of-sale (POS) system and the card networks and your payment processor. The types of organizations range from Stripe, Razorpay, PayPal, to Authorize. Net.

A hosted checkout goes a step further. Instead of capturing card details on your own site, customers are taken to a secure third-party page hosted by the provider. This makes sure that the card information never resides on your server.

Why it matters: You’re no longer handling or storing sensitive card data — which means your PCI scope is reduced.

But a smaller scope does not mean no duty. If your site gets hacked — someone slips some bad code or a script onto your checkout page, for example — you might still be at fault if your code allows for a breach. This is particularly true of “hybrid” checkouts, where the form is hosted on your site but is technically a hosted page elsewhere. Hence, PCI scans matter.

Bottom line: While hosted solutions ease your burden, they don’t eliminate it. You still need to secure your website and comply with basic PCI practices.

What PCI Scans Involve?

PCI scans are automated security checks that are meant to discover any weak spots in your system — and they’re not optional if you handle card data directly or your website interfaces with payment systems.

These scans must be performed by an Approved Scanning Vendor (ASV) — a firm that has been permitted by the PCI Security Standards Council. You cannot simply run your own scan.

They’re quarterly, and they target any public-facing IP addresses (e.g., your website or server).

What do they look for?

• Outdated software or plugins
• Misconfigured firewalls
• Open ports that should not be reachable
• Known bugs that can be exploited by hackers

You’ll be given a report at the conclusion of the scan. You require a “Pass” to stay compliant! Should the scan turn up problems, you will need to address them and rescan.

Even if you use a hosted checkout, if your website or server touches the processing of the payment in any way — for example, by embedding a form or hosting scripts — you might still require scans.

Bottom-line: Regular PCI scans allow you to be a step ahead and shut down threats before they blow up into breaches.

Tips to Reduce or Eliminate PCI Scanning Requirements

Want to avoid the headache of quarterly PCI scans? The trick is, make it easy for your clients to pay you online. Here’s what you can do to minimize (or even eliminate) your PCI scanning requirements:

Choose a completely hosted checkout solution

Redirect them to a trusted third-party site to complete payment (think Stripe Checkout or PayPal Standard). As a result that card data doesn’t touch your website, your compliance scope is drastically reduced.

Clean up embedded scripts

Strip out third-party scripts, tracking codes or plugins that your payment page is hooked into — these can create security holes that lead to PCI scan compliance.

Choose PCI-compliant platforms

Hosted eCommerce platforms, such as Shopify, BigCommerce or even Squarespace, are already PCI DSS compliant. As long as you are using their own checkout systems they shoulder the burden of compliance — not you.

Avoid custom-coded payment forms

Building your own checkout may seem flexible, but it brings major PCI overhead. Stick to pre-approved integrations from trusted gateways.

Don’t embed card forms

Including fields for payment information (even via iframe or JavaScript) on your own domain exposes you to PCI obligations. Just redirect — it’s cleaner and it’s safer.

Final tip: Check with your payment processor to be sure of exactly what’s required of you. A little modification in the way you receive payment can make a large difference in your compliance efforts.

Consequences of Skipping PCI Scans When Required

Are you thinning you can skip PCI scans because you use a gateway? Think again. There can be down-sides of skipping PCI scans:

• Monthly penalties: Most payment processors charge $10–$30/month for non-compliance
• Greater liability: If you get hit with a breach but never scanned, you will be help completely responsible
• Suspended processing: Repeated violation can cause shut down of your merchant account
• Public disclosure: Depending on your jurisdiction, a data breach might initiate legal notification obligations

Takeaway: Even if you’re using a “secure” solution, your setup also counts. Failing to get a scan done could be much more expensive than the annoyance of doing what you’re supposed to.

Conclusion

A payment gateway or hosted checkout can help minimize the complexity of becoming PCI compliant — but you can’t use it to make the issue go away. Don’t assume you’re “safe enough.” A fast call or email to your provider could spare you the headache of huge fines and lost data. Perfection is not the goal; protection is. Protecting your clients’ data is part of protecting your business. Being proactive, stay informed and keep your payment systems — and your customers’ trust — rock solid. Do not ever ignore PCI scans.

Frequently Asked Questions

1. If I use Stripe or PayPal, do I still need PCI scans?

It depends on how you integrate them. If you use fully hosted checkout (like Stripe Checkout or PayPal Standard), you may qualify for SAQ A and avoid scans. But if your site touches card data (e.g., embedded fields or custom forms), scans may still apply.

2. What is an SAQ and which one do I need?

An SAQ (Self-Assessment Questionnaire) is a PCI form businesses complete to prove compliance. There are multiple types (A, A-EP, D, etc.) depending on how you process cards. Your payment processor or gateway can help determine the right one.

3. Are PCI scans expensive or hard to do?

Most Approved Scanning Vendors (ASVs) charge a modest fee, and many processors offer free or discounted scans. The scan itself is automated — you just need to ensure your site is secure and fix any issues it flags.

4. I don’t store card data — do I still need PCI compliance?

Yes. Even if you never store card details, if your systems process or transmit them (even momentarily), PCI rules still apply. Hosted solutions help reduce scope, but they don’t eliminate compliance entirely.

5. What happens if I fail a PCI scan?

You’ll need to address the issues (like outdated software or misconfigurations) and re-scan. Failure to pass can lead to fines, processing restrictions, or non-compliance penalties from your payment provider.