Approved Scanning Vendor

An Approved Scanning Vendor (ASV) is a third-party company that is certified by the Payment Card Industry Security Standards Council (PCI SSC) to perform vulnerability scans on the external-facing networks and systems of merchants and service providers. This certification process ensures that the ASV has the technical expertise and the proper scanning tools to assess security vulnerabilities according to the PCI DSS accurately.

The primary purpose of an ASV is to help organizations validate their compliance with a key requirement of the PCI DSS, which mandates that external vulnerability scans must be conducted at least quarterly and after any significant changes to the network. These scans are designed to identify security weaknesses in systems that are accessible from the internet, such as web servers, firewalls, and other public-facing devices.

A passing ASV scan report is a mandatory part of the PCI DSS compliance process. A scan fails if it identifies vulnerabilities with a CVSS (Common Vulnerability Scoring System) score of 4.0 or higher, or if specific configuration issues are present that would automatically lead to a failure. If a scan fails, the organization must remediate the identified vulnerabilities and perform a re-scan until a passing report is achieved.

ThreatNG is an all-in-one solution for external attack surface management, digital risk protection, and security ratings that provides a powerful and complementary approach to the work of an Approved Scanning Vendor (ASV). ThreatNG does not replace the mandatory quarterly ASV scans but rather significantly enhances their value by providing continuous, attacker-centric intelligence that addresses the limitations of a periodic, "snapshot-in-time" assessment.

How ThreatNG Complements ASV Scans

ThreatNG provides crucial intelligence that an ASV scan, by its nature, cannot. While an ASV scan focuses on "known technical weaknesses" within a "defined network perimeter" to meet PCI DSS Requirement 11.2.2 , ThreatNG continuously uncovers a broader range of digital risks that are often invisible to conventional scanning tools. This complementary approach provides a more holistic and accurate picture of a client's security posture.

• Enhancing Asset Discovery and Scope Validation: ASV scans operate on a predefined list of assets. ThreatNG's "purely external unauthenticated discovery" complements this by continuously identifying an organization's entire external attack surface, including assets that internal teams may not formally inventory. ThreatNG helps QSAs "validate the completeness of a client's declared PCI DSS scope (Requirement 1.4.2)". For instance, if ThreatNG identifies a "previously unknown internet-facing asset, such as a forgotten staging server with an exposed admin page," the QSA can ensure these assets are included in subsequent ASV scans. This is crucial because "missing assets represent a common and significant compliance gap".

• Providing Granular Web Security Recommendations: An ASV scan might flag a missing Content Security Policy (CSP) as a low-severity finding. ThreatNG's reports, however, provide a detailed list of "affected subdomains," allowing a QSA to give more specific and actionable recommendations for web application security (PCI DSS 6.4.3) and vulnerability management (6.2.3). This helps clients understand the importance of these "lower severity" findings in the context of real-world attacks.

• Contextualizing Vulnerability Findings: ThreatNG's DarCache Vulnerability module enhances traditional CVSS-based prioritization. While an ASV scan's "passing" report is characterized by no vulnerabilities with a CVSS score of 4.0 or higher , ThreatNG provides crucial context by integrating EPSS (Exploit Prediction Scoring System) for the "likelihood of exploitation" and KEV (Known Exploited Vulnerabilities) for vulnerabilities "actively being exploited in the wild". This allows organizations to prioritize remediation efforts more intelligently, focusing on "vulnerabilities that pose an immediate and proven threat", thereby optimizing compliance with PCI DSS Requirement 11.6.1 for timely remediation.

Uncovering Risks That ASV Scans Miss

ThreatNG’s assessments and intelligence repositories are designed to uncover the "unknown-unknowns" that are outside the purview of a traditional ASV scan.

• Sensitive Code Leaks: An ASV scan does not "analyze code repositories for sensitive information, such as secrets". ThreatNG, however, discovers and investigates public code repositories for "Code Secrets Found," like API keys and credentials. This is a "critical data leakage risk" that serves as a "significant attack vector for unauthorized access" and directly impacts PCI DSS 3.2 and 6.6.

• Third-Party and Supply Chain Exposure: ThreatNG's "Supply Chain & Third Party Exposure" assessment and its digital risk intelligence can reveal vulnerabilities in a client's vendors. This is an essential complementary capability, as the security posture of third parties can directly impact an organization's PCI DSS compliance.

• Digital Risks and Brand Impersonation: An ASV scan does not perform brand impersonation detection. ThreatNG's BEC & Phishing Susceptibility assessment identifies "Domain Name Permutations - Taken" that are often indicators of phishing infrastructure. This helps address a non-technical, social engineering risk that an ASV would completely miss.

• Breach & Ransomware Intelligence: ThreatNG's DarCache Ransomware module provides real-time threat intelligence on active "Ransomware Groups and Activities". This acts as an early warning system, allowing a QSA to help a client assess their incident response plan (PCI DSS 12.10.5) against "real-world, current threats".

Synergies with Complementary Solutions

ThreatNG's findings can be used with other cybersecurity solutions to create a more robust security program that enhances the remediation process following an ASV scan.

• Vulnerability Management (VM) Platforms: ThreatNG's external assessment findings, such as "Critical Severity Vulnerabilities Found" on external subdomains, can be pushed to a VM platform to initiate deeper, authenticated internal scans. This combined approach ensures that both external and internal vulnerabilities are identified and prioritized for remediation, supporting PCI DSS 6.2.3 and 11.3.1.

• Security Information and Event Management (SIEM) Systems: ThreatNG's continuous alerts on external risks can be ingested by a client's SIEM. For example, if ThreatNG identifies "Compromised Emails," the SIEM can correlate this external finding with internal login attempts, providing a more robust threat detection system.

ThreatNG is not a replacement for the mandatory ASV scan but rather a powerful and essential enhancement. It helps organizations move beyond a "snapshot-in-time" compliance check to a state of "continuous security," which is what truly protects them from modern, sophisticated threats.