let them know that WPengine it self is not PCI compliant and that they need to set things up on the site to make them do so. When they do the PCI scan on the site it will always give them a false negative on the scan due to how our hosting is set up
we can still whitelist the IP’s they just need to know that there are some things we cannot change on our managed platform that will be sugegsted on the PCI report, like closing down ports
Please refer to the official guidance at pcisecuritystandards.org. If you host an e-commerce site, there are third-party payment processors who can accept and process credit card payments on your behalf. Some examples include Authorize.net, Braintree, Payeezy, PayPal Pro, and Stripe. Each third-party payment processor is responsible for maintaining information about their own compliance and may be able to help you with any PCI reporting or attestation requirements.
If you are providing e-commerce services and choose to include your WP Engine site in your PCI vulnerability scanning scope, please be aware that scan results may not be correct as we run customized versions of various components. In any case, we suggest you confirm with your PCI QSA whether your WP Engine site should be included or not as they may not be clear on how your WP Engine site works.