PCI DSS and the outside-in view
PCI DSS v4.0 is the most prescriptive of the mainstream frameworks when it comes to external scanning. Requirement 11 specifies quarterly external vulnerability scans by an Approved Scanning Vendor (ASV). Dhara's free report is not an ASV scan and does not replace that obligation. It does two other things that matter in a PCI programme:
- It provides a year-round passive view of the external attack surface between ASV scans. Most cardholder-data environment perimeter changes happen outside the ASV cycle.
- It maps findings to the cardholder data environment perimeter requirements of Requirement 4 (encryption of cardholder data in transit) and Requirement 6 (secure development of public-facing applications).
What Dhara checks, mapped to PCI DSS v4.0
| Control | Passive check | Example finding |
|---|---|---|
| 4.2.1 | TLS certificate hygiene on CDE-adjacent hostnames | Expired chain on a subdomain resolving to CDE origin |
| 6.3.1 | Public-facing software version fingerprinting | End-of-life CMS on checkout-adjacent subdomain |
| 6.4.1 | Missing web application firewall posture | Public-facing app with no CDN / WAF fingerprint |
| 11.2.1 | Continuous external asset discovery | New checkout-adjacent subdomain not in last ASV scope |
| 11.3.1 | Public endpoint exposure review | Admin-style path reachable without authentication |
Sample PCI finding
Missing WAF/CDN fingerprint on checkout-adjacent subdomain
Response headers and TLS fingerprint indicate a direct origin response with no Cloudflare / Akamai / Fastly / AWS-WAF terminator in front. Subdomain appears in historical URL data as a former payment flow endpoint.
Using Dhara alongside your ASV
Dhara reports are designed to be handed to the internal security or compliance lead, who can either use them as input to scope the next ASV engagement, or as evidence of the organisation performing continuous external monitoring between ASV scans. Requirement 11.2.1 specifically asks for processes that detect changes to the external attack surface; that is what the delta-report feature of the Dhara product is for.