Frequently Asked Questions
Who is Clone Systems and why do they have my data?
Clone Systems is a certified ASV partner and only receive the contact details required to populate the mandatory Section A.1 of your official PCI compliance reports.
My scan failed due to ‘Active Security Hardware Detected’. What does this mean?
This usually means a WAF was detected and must be bypassed via allowlisting for the scan to be PCI-compliant. See Getting Started — Prerequisites for the scanner IPs you need to allowlist.
How often do I need to run ASV scans?
PCI DSS requires external ASV scans at least every 90 days (quarterly). We strongly recommend monthly scanning to catch issues early and maintain continuous compliance. Detectify defaults to monthly scheduling.
Can I move a scan profile to a different domain or IP?
No. Scan profiles are locked to the domain or IP address specified at creation. To scan a different target, you need to create a new scan profile.
What happens if I reduce my plan?
If you reduce the number of scan slots on your plan, existing profiles remain active but you will not be able to create new profiles until your usage is below the new capacity. The dashboard will show “Max capacity reached” and the create button will prompt you to contact us for more capacity.
What is the difference between ASV scanning and Detectify Application Scanning?
| ASV Scanning | Application Scanning | |
|---|---|---|
| Purpose | PCI DSS compliance (Control 11.3.2) | General web application vulnerability detection |
| Certification | Performed by a certified ASV (Clone Systems) | Detectify’s scanning engine |
| Output | Compliance reports (AoSC, Executive, Detailed) | Vulnerability findings with proof of exploitability |
| Schedule | Monthly or quarterly | On-demand or continuous |
Both tools serve different purposes and can be used together for coverage.
Can I use Detectify for internal scanning requirements?
Detectify Application Scanning can address the application layer of PCI DSS internal scanning requirements (Requirement 11.3.1). However, the OS layer (11.3.1.2) requires a complementary host-based scanner such as AWS Inspector or similar. Together, they provide full coverage for the internal scanning mandate.
How do I stop paying PCI non-compliance fees?
Follow this three-step action plan:
- Identify and document — Determine your merchant level based on annual transaction volume. Map every system, domain, and IP that touches cardholder data.
- Run passing scans — Execute ASV scans at least every 90 days. Remediate any failures promptly. Maintain at least four consecutive quarterly passing scans.
- Submit attestation — Send your signed Attestation of Compliance (AOC) and passing AoSC reports to your payment processor (Stripe, Adyen, etc.) and request fee removal.
How long are reports stored?
Reports are retained for 3 years from the scan date. We recommend downloading and storing reports in a secure location if you need them beyond this period.
Who generates the compliance reports?
Reports are generated by Clone Systems, a PCI SSC-certified Approved Scanning Vendor (ASV). Reports carry dual branding (Detectify and Clone Systems) as required by PCI SSC guidelines. The accuracy and validity of compliance data is the responsibility of Clone Systems as the certified vendor.
What happens if a scan is running and I need to make changes?
Running scans will complete before any changes take effect. If you pause a profile while a scan is in progress, the current scan will finish and generate its reports. Only future scheduled scans will be affected.