How do I check my Supabase RLS policies for security holes?

AuditYourApp performs an automated deep-scan of your Postgres schema. It simulates attacker behavior to identify tables with missing Row Level Security (RLS) policies, permissive "true" policies, and unauthenticated public access risks.

Is AuditYourApp safe to run on a production database?

Yes. The scanner operates in a read-only context for 95% of checks. For write-access verification, it uses transaction rollbacks to ensure no dummy data is left behind.

Does it provide code to fix the security issues?

Yes. Unlike standard scanners that only report errors, AuditYourApp generates the exact SQL snippets and Policy definitions needed to patch vulnerabilities and secure your Supabase project.

What is the difference between the Single Snapshot and Continuous Guard?

The Single Snapshot ($49) is a one-time audit perfect for pre-launch verification. Continuous Guard ($29/mo) runs weekly scans to detect security regressions, ensuring new code pushes do not accidentally expose private data.

Does it offer manual expert review??

Yes, AuditYourApp offers an Expert Architecture Review ($499) which includes manual logic analysis by a human security engineer.

A Complete Guide to PCI DSS Scanning

If you handle cardholder data in your business, you've almost certainly heard about PCI DSS scanning. But what does it actually involve? At its core, PCI DSS scanning is the regular, automated process of checking your company’s IT systems for security weaknesses that could put cardholder data at risk.

Think of it as a routine security patrol for your digital premises. It’s a mandatory practice for any UK organisation that accepts payment cards, ensuring all your digital doors and windows are firmly locked against cyber threats.

Your Essential Guide to PCI DSS Scanning

Let’s use an analogy. Imagine your payment systems are a high-security vault holding your customers' most sensitive information. PCI DSS scanning acts as the specialist team that regularly inspects every lock, sensor, and access point to make sure they're working flawlessly. This isn't just about ticking a box for compliance; it's a fundamental part of protecting customer data and earning their trust.

To really get to grips with scanning, it helps to understand what PCI DSS compliance entails as a whole. Compliance is the end goal, and regular scanning is one of the most important parts of the journey. It provides the hard evidence that your security measures are not just in place, but are actively defending against real-world attacks.

Diagram showing PCI DSS scanning hierarchy: security leads to scanning, protecting data, preventing breaches, and maintaining compliance.

As this diagram shows, security is all about protecting data. Scanning is the proactive workhorse that makes consistent protection possible, preventing breaches and keeping you compliant.

Who Needs to Perform Scans?

The short answer? If your business stores, processes, or transmits cardholder data in any capacity, PCI DSS scanning applies to you. Your specific obligations might vary based on your transaction volume and payment setup, but the core principle is universal.

Whether you're a major e-commerce platform processing thousands of transactions a day or a small local shop with a single card terminal, regular security testing is non-negotiable. These rules are set by the Payment Card Industry Security Standards Council (PCI SSC) to establish a baseline of security across the entire payments ecosystem. Ignoring them doesn't just put your customers at risk—it exposes your business to serious financial and reputational damage.

Why Scanning Is More Than a Tick-Box Exercise

One of the biggest mistakes I see is businesses treating scanning as a simple compliance chore. That's a dangerous mindset. The threat landscape is anything but static; new vulnerabilities are uncovered every single day. Regular scanning is your best defence for staying ahead of them.

It’s about moving from a reactive to a proactive security posture. Without it, your systems could have gaping holes that attackers can exploit for weeks or even months before anyone notices. For UK businesses, a breach could lead to crippling fines under GDPR, not to mention the loss of customer trust that can be impossible to win back.

To give you a clearer picture, here's a quick rundown of the main scanning types and what they do.

PCI DSS Scanning Requirements at a Glance

Each scan serves a unique purpose, working together to create a multi-layered defence.

A consistent scanning programme delivers powerful benefits that go far beyond just passing an audit:

Reduced Risk: You can identify and patch security holes before attackers find and exploit them.
Stronger Security Posture: You gain a continuous, clear view of your organisation's overall security health.
Greater Customer Trust: Showing a real commitment to data security is one of the best ways to build confidence.
Improved Operational Resilience: You avoid the chaos, downtime, and high costs that inevitably follow a security breach.

Ultimately, PCI DSS scanning is an investment in your business's long-term survival and credibility. It turns security from a periodic, stressful scramble into a managed, continuous process that protects your assets and your reputation day in, and day out.

The Different PCI Scans You'll Actually Need to Run

Illustration comparing external and internal PCI DSS vulnerability scans with a laptop, building, server, and padlock.

Getting to grips with PCI DSS scanning starts with understanding that there isn't just one type of scan. Think of your organisation's security like a medieval castle. You'd have guards watching the perimeter for invaders, but you'd also need patrols inside the walls, checking for spies or weak points in the inner keep.

PCI DSS security scanning works the same way. It uses different scans to test your defences from multiple angles. These aren't just 'nice-to-haves'; they are mandatory checks designed to leave no stone unturned.

Let's break down the core scan types you'll be dealing with.

External Vulnerability Scans: The View from Outside

This is the one most people think of first. PCI DSS requires you to have an external vulnerability scan performed quarterly by an Approved Scanning Vendor (ASV). An ASV is simply a company that the PCI Council has certified as qualified to run these official scans. They’re your independent, third-party assessors.

An ASV scan is like hiring a team to probe your castle's outer walls, gates, and towers. They test every publicly-facing part of your network—your websites, APIs, email servers, anything with a public IP address—for known vulnerabilities.

The process is straightforward:

Scope definition: The ASV identifies all your internet-facing IP addresses.
Scanning: They run automated tools against these targets, checking for thousands of known security holes and misconfigurations.
Reporting: You get a report detailing every vulnerability found, each with a severity score (critical, high, medium, etc.).

To pass, you have to run this scan every quarter and get a clean bill of health. That means remediating any high or critical-risk findings before you can get your official "pass" report.

Internal Vulnerability Scans: Guarding the Inner Sanctum

While external scans check what a hacker can see from the outside, internal scans look for weaknesses within your network. This is like letting a security expert walk around inside your castle to spot unlocked doors or unguarded treasure rooms that an external attacker knows nothing about.

These scans, also required quarterly, are meant to find issues that could be exploited by an insider or by an attacker who has already found a way past your firewall. You can run these yourself or hire a qualified consultant.

A lot of teams assume a powerful firewall means their internal network is safe. That's a dangerous assumption. A huge number of breaches start from inside, which makes internal scanning an absolutely essential layer of your defence.

Internal scans are looking for things like:

Out-of-date software and missing security patches on servers and employee computers.
Weak or default passwords on databases, routers, and other internal systems.
Poor network configurations that would let an attacker move around freely if they got in.

If you want to go deeper into the kinds of tools used for these checks, our guide on web application vulnerability scanners is a great place to start. It's also helpful to understand how these automated scans differ from manual testing, which you can read about in this article on Penetration Testing vs Vulnerability Scanning.

Other Essential Security Checks

On top of the quarterly vulnerability scans, PCI DSS requires a few other regular checks to ensure your security is truly robust. These are just as important.

File-Integrity Monitoring (FIM)

This check is required at least weekly. Think of FIM as putting a digital tamper-evident seal on your most important files. FIM software constantly watches critical system files and configurations for any unauthorised changes. If someone modifies a crucial file, an alert is triggered immediately, giving you a chance to investigate a potential breach as it happens.

Web Application and API Scanning

At least annually, and after any significant change to your code, you must scan your web applications and APIs for software-level bugs. This type of scan goes much deeper than the network-level checks, hunting for coding flaws like SQL injection, cross-site scripting (XSS), and broken authentication. These app-level checks are vital for protecting the very software that handles card data.

How Scanning Aligns with PCI DSS v4.0 Requirements

PCI DSS scanning isn’t just a technical task you tick off a list; it’s the practical, evidence-based proof that you're meeting your security obligations. Think of the Payment Card Industry Data Security Standard (PCI DSS) as the rulebook for handling cardholder data. Your scans are how you demonstrate, chapter and verse, that you’re actually following those rules.

With the full enforcement of PCI DSS v4.0, the standard has decisively shifted from a "point-in-time" compliance exercise to a continuous security posture. Your scan reports are the primary evidence a Qualified Security Assessor (QSA) will scrutinise. They’re looking for more than just a passing grade.

These reports need to tell a story. They must show a consistent, diligent effort to find and fix vulnerabilities, creating a detailed log of your security health over time. Without this documented history, passing a PCI audit becomes a near-impossible task.

Requirement 11: The Heart of Scanning Mandates

At the core of all this activity is Requirement 11, which instructs organisations to "Regularly Test Security Systems and Processes." This isn't just one rule among many; it's the foundation for your entire vulnerability management programme and the explicit reason you run quarterly internal and external scans.

PCI DSS v4.0 has put Requirement 11 under a microscope, sharpening its focus to tackle modern threats. It now demands more rigorous authenticated scanning and even specifies mechanisms to spot tampering on e-commerce payment pages to fight digital skimming. It's a clear signal that running a simple, unauthenticated scan just doesn't cut it anymore.

For UK organisations, this transition has been pivotal. Since v4.0 became fully enforceable in March 2025, network scanning has become an undeniable cornerstone of compliance. In fact, assessments from the first half of 2025 showed that failures in scanning contributed to 68% of failed PCI audits among British fintechs, underscoring its critical role.

Mapping Scan Types to Specific PCI Controls

So, how do the different types of scans you run connect directly to specific PCI DSS requirements? Understanding this mapping is crucial for building a programme that is not only compliant but genuinely effective. A well-structured approach also naturally aligns with broader security frameworks. If you want to see how these controls fit into a bigger picture, you can review our guide on ISO 27001 and information security management systems.

Here’s a breakdown of how the core scanning activities fulfil specific PCI DSS mandates:

External ASV Scans (Req 11.3.2): This is the most widely known mandate. It requires you to have an Approved Scanning Vendor (ASV) scan all your internet-facing systems every quarter to find and fix vulnerabilities.
Internal Vulnerability Scans (Req 11.3.1): This rule demands the same quarterly frequency for scans inside your firewall. Version 4.0 now stresses the need for authenticated scans to get a much deeper and more accurate view of your internal risks.
File-Integrity Monitoring (Req 11.5): Your early warning system for a breach in progress. This requires tools that check critical system files for unauthorised changes on a weekly basis, alerting you to active tampering.
Web Application and API Scanning (Req 6.5.10 & 11.4): Beyond the mandatory annual penetration test, you need to continuously scan your custom code. This is about proactively finding common but dangerous bugs like SQL injection or cross-site scripting (XSS) in your applications and APIs.

By aligning your scanning schedule directly with these PCI requirements, you transform compliance from a chaotic, last-minute scramble into a predictable and manageable process. Each scan report becomes a piece of evidence, building your case for a successful audit.

A Practical Guide to Running Scans and Managing Results

Knowing you need to scan is one thing; actually doing it right is where the real work begins. It’s easy to get bogged down in the process, turning what should be a straightforward security measure into a quarterly fire drill. Let's walk through how to run scans, make sense of the results, and manage the fixes without the usual headache.

First, you need a rhythm. The PCI DSS rules are clear: you must run external ASV scans and internal vulnerability scans at least quarterly. You also need to run them after any "significant change" to your systems. This could be anything from a major software update or deploying a new server to tweaking your firewall rules.

The trick is to make scanning routine, not an emergency. Get your scans booked well in advance and let your tech teams know the schedule. This simple bit of planning avoids last-minute panic and ensures the right people are available to act on the findings.

Interpreting Scan Reports and Prioritising Fixes

When a scan finishes, you’ll get a report that can look pretty intimidating. It’s often a long list of every weakness the scanner found, and it’s tempting to feel overwhelmed. The key is knowing how to read it and where to start.

Each finding comes with a risk rating, usually based on the Common Vulnerability Scoring System (CVSS). You can group them into three main buckets:

Critical/High: These are the gaping holes. They're often straightforward for an attacker to exploit and could give them the keys to the kingdom. These are your absolute top priority.
Medium: These issues pose a real risk but might require more specific circumstances for an attacker to use them. Think of them as unlocked windows on the first floor—not as bad as an open front door, but you still need to sort them out.
Low/Informational: These are usually minor configuration slip-ups or tips for better security hygiene. While they're worth fixing, they aren't likely to be the direct cause of a breach.

Don't try to fix everything at once. The golden rule is to tackle all Critical and High-risk vulnerabilities first. You simply won't get a passing ASV scan report until these are gone. From there, you can work your way down the list, starting with the Medium-risk items.

A critical vulnerability on a non-essential internal development server might be less urgent than a medium vulnerability on your public-facing checkout API. Always consider the business impact and the location of the asset when prioritising your remediation efforts.

Automating Scans in Your CI/CD Pipeline

For development teams working at a fast pace, the goal is to find problems sooner. This means building security checks directly into your Continuous Integration/Continuous Deployment (CI/CD) pipeline. Instead of finding a show-stopping vulnerability days before a launch, you can catch it the moment the code is written.

Think of it as an automated security checkpoint. The process looks something like this:

Code Commit: A developer pushes new code.
Scan Trigger: Your CI/CD system automatically runs a targeted vulnerability scan on the new build.
Result Analysis: A script or tool checks the scan report for serious issues.
Build Fails: If a high or critical vulnerability is detected, the build is automatically stopped. Insecure code never gets a chance to move forward.
Dev Alerted: The developer gets an instant notification explaining the problem, often with pointers on how to fix it.

This changes the entire dynamic. It empowers your engineers to handle security as part of their daily work, catching issues when they are cheapest and easiest to resolve. PCI DSS scanning stops being a painful, periodic audit and becomes a natural part of building good, secure software.

The Real Costs of PCI Compliance and Non-Compliance

Let's talk about the money. When PCI DSS scanning comes up, the conversation almost always turns to the budget. It's tempting to see compliance as just another line item, a cost to be minimised. But that’s looking at it the wrong way. The real question isn't "How much does compliance cost?" but "What's the price we'll pay if we fail?"

Think of a solid scanning programme as your business's insurance policy. Yes, it's a recurring cost, but it's what stands between you and a catastrophic event that could wipe you out. The upfront investment in getting your security right is always, without exception, a tiny fraction of what a data breach will cost you.

Budgeting for PCI DSS Compliance

For any UK business, the costs of achieving and maintaining PCI DSS compliance are real, but they are also predictable. A Level 1 merchant might face a larger initial spend, but the ongoing scanning and testing costs are far more manageable than you might think.

This isn't just theory. PCI DSS Requirement 11 mandates documented internal and external vulnerability scans, a baseline expectation now that v4.0 is fully in effect. A recent Gradeon survey on UK merchant compliance discovered a critical point of failure: many businesses that failed their audits did so simply because of poor scan documentation.

So, what should you actually budget for? Here’s a realistic breakdown of ongoing costs:

Quarterly ASV Scans: These essential external vulnerability scans will typically run you between £5,000 and £15,000 annually.
Penetration Testing: This is a more hands-on, deep-dive assessment. You should budget anywhere from £40,000 to £75,000 per year to cover both internal and external tests.
Remediation: Here's the variable. The cost to fix what you find depends entirely on the nature of the vulnerabilities and the work needed to patch them.

These numbers might seem significant, but they represent a clear, planned path to protecting cardholder data. The alternative is a far more frightening financial gamble.

The Crippling Cost of a Breach

The fallout from a data breach is never just a single fine. It's a domino effect of financial and reputational damage that can haunt a business for years—if it survives at all.

The cost of non-compliance is a financial black hole. It starts with regulatory fines but quickly expands to include legal fees, customer compensation, soaring insurance premiums, and the irreversible loss of customer trust. It’s an existential threat, not just an expense.

Let’s be clear about what failure truly costs:

Regulatory Fines: In the UK, the Information Commissioner's Office (ICO) has the power to issue fines under GDPR of up to 4% of a company's global annual turnover. That’s not profit, that's turnover.
Forensic Investigations: After a breach, you're on the hook to hire a PCI Forensic Investigator (PFI) to figure out what happened. This is a non-negotiable, lengthy, and very expensive process.
Reputational Damage: Trust is hard-won and easily lost. A 2023 study found that over 60% of consumers would simply walk away from a company after a data breach.
Operational Disruption: Forget new features or growth. A breach brings your operations to a grinding halt, pulling your best people off productive work to handle the cleanup.

When you put the two scenarios side-by-side, the choice is obvious. The planned, manageable costs of a robust PCI DSS scanning programme aren't an expense; they're a vital investment in your company's future.

Automating Compliance for Modern Technology Stacks

Let's be honest: traditional PCI DSS scanning was designed for a different era. It was built for monolithic applications chugging away on servers in a data centre. But what happens when your infrastructure is serverless, your backend is a service like Supabase or Firebase, and you're shipping code multiple times a day?

The fundamental principles of security haven't changed, but the attack surface looks completely different. In this world, a poorly configured Row Level Security (RLS) policy is the new open firewall port. A leaked API key accidentally committed to a public GitHub repo is today's equivalent of an unpatched server. These aren't just theoretical worries; they are some of the most common and damaging security flaws we see, and traditional network scanners were never built to find them.

Diagram showing an automated scan, data flowing through a cloud to a serverless function, then processed by an API key robot, stored in a database, and secured with RLS.

This is precisely where automated security scanning, designed for modern development, becomes so critical. It’s about shifting compliance from a periodic, manual headache into a continuous, integrated part of your development workflow.

The Evolution of Vulnerability Management

For fast-moving teams, the solution is tooling that speaks their language. Instead of just checking for open ports, modern scanners need to analyse application logic and cloud configurations. This is the next step in vulnerability management—moving beyond basic network checks to a much more sophisticated, context-aware analysis.

Think about it this way:

Logic Fuzzing: A good tool doesn't just read your RLS policies. It actively "fuzzes" them by firing thousands of automated queries to find out what data can actually be read or written. It proves a leak exists instead of just flagging a potential issue.
Secret Scanning: These tools are always on the lookout, proactively searching your frontend code bundles, mobile app files, and code repositories for hardcoded secrets like API keys and credentials before they ever get exposed.
Automated Remediation: The best tools don't just dump problems on your lap; they offer clear, actionable solutions. This could mean providing the exact SQL snippet needed to fix a leaky RLS policy, saving your developers hours of frustrating guesswork.

Continuous Compliance as the New Standard

The full adoption of PCI DSS v4.0 has firmly cemented vulnerability scanning's role in UK payment security, making continuous monitoring an absolute necessity. With Requirement 11 mandating regular scans, UK companies are already finding that a staggering 72% of recent PCI audit failures come from gaps in their scanning processes. To understand the financial implications, you can read more about the costs of PCI DSS screening in the UK on avvanz.com.

For an indie hacker building on Supabase or a product leader shipping a mobile app, this means you need tools that work as fast as you do. An automated platform like AuditYour.App acts like your own specialised red team, continuously guarding your modern stack and proving where real-world leaks exist.

This approach transforms PCI DSS scanning from a compliance chore into a real competitive advantage. By building these checks directly into your workflow, you can achieve a truly robust security posture without the typical overhead. That means you can get back to what matters: shipping innovative products with confidence.

To see how this works in practice, check out our automated security scanning guide for your own projects.

Frequently Asked Questions About PCI DSS Scanning

When it comes to PCI DSS scanning, a lot of the same questions pop up time and again. Getting your head around compliance rules and technical jargon can be tough, so we've answered some of the most common queries we hear from businesses just like yours.

What Happens If I Fail an ASV Scan?

First off, don't panic. Failing an Approved Scanning Vendor (ASV) scan is a pretty normal part of the process and simply means a significant vulnerability has been found on one of your systems facing the internet.

You'll get a report that spells out exactly what the issue is and how severe it is. The PCI DSS standard gives you a window—usually 30 days—to get the problem sorted. Once you’ve applied a fix, you just need to run a rescan to prove the vulnerability has been closed off. A passing scan is what you need to keep your compliance in good standing.

Persistent failures can be serious. They can lead your acquiring bank to impose penalties, such as higher transaction fees or even fines, as you are considered non-compliant until you achieve a passing report.

Are Internal Scans and Penetration Tests the Same Thing?

That’s a great question, and the answer is no—they are two very different, but equally important, security checks. PCI DSS actually requires you to do both.

Here’s a simple way to think about it:

An Internal Vulnerability Scan is like a security guard methodically checking a building against a long list of known issues. It's an automated process that looks for thousands of well-documented weaknesses inside your network, making sure all the usual doors and windows are locked.
A Penetration Test is more like hiring a specialist team to stage a real-world break-in. This is a manual, creative exercise where a security expert actively tries to find and exploit any weakness they can, known or unknown. They aren't just checking locks; they're looking for clever ways to bypass your entire defence system.

They work together to give you a much richer, more accurate view of how secure you really are.

Do Small Businesses Really Need PCI DSS Scanning?

Yes, they do. If your business takes card payments, the PCI DSS rules apply, regardless of your size. The key difference is that your specific scanning requirements depend on how many transactions you handle and the way you process them.

Even the smallest shops often need to fill out a Self-Assessment Questionnaire (SAQ), and many versions of the SAQ demand quarterly external ASV scans. Your acquiring bank is the one who sets your exact obligations, so it's vital to have a conversation with them to confirm what's required. That's the only way to be sure you're both compliant and secure.

Stop wondering if your modern application is secure. AuditYour.App gives you the power to find critical vulnerabilities in your Supabase or Firebase backend before attackers do. Get a free, instant scan and actionable fixes in minutes at https://audityour.app.