← Back to Guides

How to conduct PCI scans on Vercel: A complete guide to IP safelisting

Ensuring your payment processing systems are secure and compliant is critical for any business. If you're hosting on Vercel and need to conduct scanning to support your PCI compliance, this guide will walk you through the process.
Last updated on August 11, 2025
Policy & Security

Payment Card Industry Data Security Standard (PCI DSS) compliance is critical for businesses that process payments and cardholder data (i.e., credit card number, cardholder name, expiration date, PINs, etc.). A key component of PCI compliance is regular security scanning of the systems and components that store, transmit, or process cardholder data and/or sensitive authentication data.

In this guide, we'll walk through guidelines for how customers can prepare their Vercel deployments to support their PCI scanning.

Before diving into the technical steps, it's important to understand the division of responsibility between Vercel and our customers.

While we provide the infrastructure and security tools, customers are ultimately responsible for ensuring their application meets their compliance requirements. For an overview of PCI compliance on Vercel, refer to PCI Compliance for eCommerce Teams.

Customers subject to PCI DSS compliance are responsible for choosing an appropriate payment gateway provider and integrating it into their application, as stated in Vercel's Shared Responsibility Model.

When your application is hosted on Vercel, you'll need to temporarily safelist the IP addresses of your scanning service to allow it access to your deployment.

First, you'll need to contact your PCI scanning service provider to obtain:

  • The complete list of IP addresses they'll use to conduct the scan
  • The recommended duration and timing for the scan
  • Any specific requirements they have for accessing your application

Vercel provides a powerful Web Application Firewall (WAF) that allows you to create custom rules at the project level.

  1. Log in to your Vercel dashboard
  2. Select your project from the dashboard
  3. Navigate to your project's Firewall tab
Create Rule - Light.png
Create Rule - Dark.png

Now, you'll create a custom rule to allow the scanning service access:

  1. Click Add New > Rule
  2. Name your rule something descriptive (example: PCI Scanning Service - [Date]), you can also add an optional description with additional information
  3. In the Configure section, set the attribute to IP Address
  4. Choose Equals to enter a single IP address, or Is any of to input multiple IP addresses in the same rule
  5. Enter the IP address(es) in the value field. For multiple IPs, use line-separated input
  6. Leave the logical operator set to AND,
  7. Set the action to Log
  8. Press Save Rule to finalize

If you have existing custom rules that might interfere with scanner access, consider using the Bypass action instead of Log to ensure these IPs are allowed through the firewall.

Before the official scan:

  1. Ask your scanning service provider if they can perform a preliminary connection test
  2. Check your logs to confirm the scanning IPs are being properly allowed through
  3. Verify that the WAF custom rule is working as expected without compromising other security measures for each IP address added within the custom rules

Review the scan results to ensure they meet your compliance needs:

  1. Immediately disable or delete the safelisting rule
  2. Confirm the flagged host or service is part of your PCI in-scope deployment
  3. Analyze the vulnerabilities identified and findings related to shared infrastructure or external services not under your control (i.e., false positives)

Some suggestions that may make your PCI scanning process smooth and secure:

  • Schedule during low-traffic periods: Minimize the impact on your users by conducting scans during off-peak hours
  • Implement log drains: While we provide access to short-term runtime logs for debugging purposes, it is the customer's responsibility to set up log drains for long-term log retention, data auditing, or additional visibility into their application's performance. Learn more about Log Drains
  • Limit the scope of the scan: Only safelist the exact IPs needed for the minimum amount of time required
  • Document everything: Maintain detailed documentation of when rules were added and removed for record-keeping purposes
  • Regular scanning: Don't wait for your quarterly compliance scan, implement regular security testing as part of your development lifecycle

Conducting PCI scans on your Vercel deployment helps create a straightforward process when you understand how to properly safelist scanning IPs through the Vercel WAF. Following the steps outlined in this guide will help you maintain your security posture and ensure your application supports PCI requirements.

Remember that security is an ongoing process, not a one-time event. Regular scanning, prompt remediation of vulnerabilities, and staying up-to-date with Vercel's security features are all essential parts of maintaining a secure, compliant application.

For information related to how Vercel supports PCI compliance, please visit our guide.

Couldn't find the guide you need?