I have a client who keeps failing their PC! compliance scan with first data . I have shut down all access from the internet via the management panel and and disabled ping from internet.
according to first data the scan does not like the self signed certificate ssl ( sorry none the wiser) and requires a ca rooted one .
i also need to close port 443 .
the only way i have access is through a VPN remote dial-in user .
i have never had this issue with any other clients using draytek 2860 /2862
can anyone help

If you're not using the router's SSL VPN server, disabling that should help as that is responding on TCP 443 with the router's self-signed certificate. That service is located in [VPN and Remote Access] > [Remote Access Control].
On there, turn off the SSL VPN Server and I recommend turning off PPTP VPN Server if you're not using the PPTP VPN - It's better to use L2TP over IPsec if possible.