Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations. Tracked by Google Threat Intelligence Group […]
Author: cyberbytes
AI coding assistants amplify deeper cybersecurity risks
The productivity improvements that arise from increasing use of AI coding tools are coming at the cost of greater security risks. While use of AI […]
NVIDIA Merlin Flaw Enables Remote Code Execution with Root Access
A critical vulnerability in NVIDIA’s Merlin Transformers4Rec library allows attackers to achieve remote code execution with root privileges. Discovered by the Trend Micro Zero Day […]
COLDRIVER APT Group Uses ClickFix to Deliver New PowerShell-Based Backdoor BAITSWITCH
Russia-linked threat actors continue targeting civil society with sophisticated social engineering campaigns and lightweight malware tools in September 2025. The campaign delivers two previously undocumented […]
Linux Kernel ksmbd Flaw Lets Remote Attackers Execute Arbitrary Code
A critical vulnerability in the Linux Kernel’s ksmbd file sharing component allows remote attackers to execute code with kernel privileges. Tracked as CVE-2025-38561, this flaw […]
Cisco IOS 0-Day RCE Vulnerability Actively Targeted
Cisco has disclosed a critical zero-day vulnerability in its IOS and IOS XE software that is being actively exploited by threat actors in real-world attacks. […]
Die besten Cyber-Recovery-Lösungen
Nicht greifende Recovery-Prozesse sind für Unternehmen ein Albtraumszenario, das dank ausgefeilter Angriffe immer öfter zur Realität wird. Arjuna Kodisinghe | shutterstock.com Im Rahmen traditioneller Incident-Response– […]
Chinese spies had year-long access to US tech and legal firms
Chinese threat actors deployed a custom Linux backdoor on compromised network edge devices to maintain persistent access into the networks of US legal services firms, […]
Uncategorized
Understanding the Distinctions: ASVs and QSA Companies Are Not Service Providers
A QSA (Qualified Security Assessor) company or an ASV (Approved Scanning Vendor) company is not considered a service provider in the context of the Payment Card Industry Data Security Standard (PCI DSS). They are highly specialized assessors and validators, rather than service providers involved in processing, storing, or transmitting cardholder data.
I have seen many instances where a company demands an AOC from their QSA or ASV, believing or being told that they need an AOC from all their service providers.
Here’s a clear breakdown of the differences:
Qualified Security Assessor (QSA)
- Role: A QSA is an independent security organization, certified by the PCI Security Standards Council (PCI SSC), to assess and validate a company’s compliance with PCI DSS.
- Function: QSA companies perform formal audits and issue a Report on Compliance (ROC), which confirms that an entity meets all PCI DSS requirements.
- Relationship to service providers: A QSA will assess a service provider and/or merchant’s compliance, but the QSA itself is not a service provider.
Approved Scanning Vendor (ASV)
- Role: An ASV is a company approved by the PCI SSC to perform external vulnerability scanning services.
- Function: An ASV utilizes specialized tools and services to remotely scan an organization’s network perimeter, identifying security vulnerabilities. A passing scan is required quarterly for PCI DSS compliance.
- Relationship to service providers: An ASV provides a scanning service to both merchants and service providers, but is not considered a service provider in the same sense as a hosting provider or payment gateway.
Service provider (for PCI compliance)
In contrast, a service provider is a business entity that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organization. Examples include:
- Managed firewall providers
- Hosting companies
- Payment gateways
- Cloud service providers
Here are the PCI Security Standards Council’s official definitions:
- Service Provider: Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity. This includes payment gateways, payment service providers (PSPs), and independent sales organizations (ISOs). This also includes companies that provide services that control or could impact the security of CHD and/or SAD. Examples include managed service providers that provide managed firewalls, IDS, and other services as well as hosting providers and other entities.
- If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
- Third-Party Service Provider (TPSP): Any third party acting as a service provider on behalf of an entity.
- Multi-Tenant Service Provider: A type of Third-Party Service Provider that offers various shared services to merchants and other service providers, where customers share system resources (such as physical or virtual servers), infrastructure, applications (including Software as a Service (SaaS)), and/or databases. Services may include, but are not limited to, hosting multiple entities on a single shared server, providing e-commerce and/or “shopping cart” services, web-based hosting services, payment applications, various cloud applications and services, and connections to payment gateways and processors. See Service Provider and Third-Party Service Provider.
The post Understanding the Distinctions: ASVs and QSA Companies Are Not Service Providers appeared first on .
CISA: Attackers Breach Federal Agency via Critical GeoServer Flaw
Threat actors exploited CVE-2024-36401 less than two weeks after it was initially disclosed and used it to gain access to a large federal civilian executive […]