My recent Cloudflare PCI scan passed (always has) however now the Scan vendor requires declarations for two separate notes (see image below). I am using Cloudflare FREE version with SSL/TLS encryption mode on Full (strict) and have a Cloudflare Origin CA certificate installed on the server. Unable to validate the occurrence of http as reported by the ASV vendor below. Unsure how to respond to vendor since https is set to strict. Does anyone have any ideas? Any insight, help or suggestions would be greatly appreciated!
I’m not a PCI expert, but you don’t have much control over what ports are open on the Cloudflare proxy. And I don’t know what documentation is available to satisfy their requirements.
If the vendor scanned your origin IP, do you think that would help? Hopefully that one is locked down for your configuration.