Vulnerability assessment is the process of identifying publicly known weaknesses in information systems using mainly automated tools. Vulnerability scanning can include but is not limited to scanning for open network ports, software and operation system flaws, unapplied patches, common weaknesses in applications, gaps in network equipment (firewalls, routers, etc.) and more.
Unlike penetration tests, vulnerability assessment does not exploit those weaknesses to show their impact and what damage they could cause.
Vulnerability scanning is an exceptional method if we are to get a basic idea of the possible flaws, but considering that it can not identify if infrastructure security could prevent the exploitation and make it not feasible. It is also important to note that the vulnerability assessment is not enough to meet the PCI DSS and other required certificates.