Recently Viewed Topics
PCI ASV Validation Portal
For instructions on how to perform a PCI Quarterly External Scan, see the Tenable.io workflow.
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain Data Security Standards (DSS) requirements by performing vulnerability scans of internet-facing environments of merchants and service providers.
Tenable Network Security is a Payment Card Industry (PCI) ASV, and is certified to validate vulnerability scans of Internet-facing systems for adherence to certain aspects of the PCI DSS and Tenable.io is a validated ASV solution.
Any policies created with the PCI Quarterly External Scan policy template cannot be edited further to ensure the required testing is performed.
Note: Customers are allowed up to two quarterly report submissions for PCI ASV validation.
PCI Validation Portal
The PCI Validation user section displays a list of reports that have been submitted by the currently logged in user. Use the Report Filter to filter reportss by Owner, Name, and Status.
Note: Due to security reasons, if you do not have a screensaver enabled you must re-authenticate your instance of the PCI Validation Portal every 15 minutes.
To pass a PCI DSS ASV assessment, all items (except for denial of service (DoS) vulnerabilities) listed as Critical, High, or Medium (or with a CVSS score of 4.0 or higher) must either be remediated or disputed by the customer. All disputed items must either be resolved, accepted as exceptions, accepted as false positives, or mitigated through the use of compensating controls. All items listed as Critical, High, or Medium can be viewed in detail. Additionally, all items carry an option to dispute the item in question.
Click the name of the scan in the List of Reports to view a list of hosts and the number of vulnerabilities found on each host. The list is sorted by severity.
Caution: Tenable.io customers are responsible for reviewing all of their Failed Items before submitting a scan report to Tenable™. Select the Failed Items in the List of Reports to jump directly to the items that may affect your PCI ASV Validation compliance status.
You can expand each row for additional vulnerability details.
A Dispute button appears for each individual item. Enter additional details about vulnerability remediation or dispute what you believe may be a false positive generated by the initial scan.
When an item is disputed, a ticket is created. Select an amendment type, add text to the amendment, or add notes prior to submission.
To view a ticket after creation, click the item and select View Ticket.
To add an additional comment, click Edit and select Add Note. Enter your comment and click Update.
Tip: Plugin 33929, PCI DSS Compliance, is an administrative plugin that links to the results of other plugins. If a report shows that a host is not PCI DSS compliant, resolving all failed items allows plugin 33929 to resolve and be replaced with plugin 33930, PCI DSS Compliance: Passed. In cases of disputes or exceptions, if all failed report items are successfully disputed or given exceptions, an exception can be given for plugin 33929 based on the remediation of all other report issues.
To submit supporting evidence to a ticket, click the number under Open Tickets. A list of tickets displays.
Upload File and Attach options appear.
Click Browse. Navigate to and select the evidence file (screenshot, Word document, PDF, etc.).
Click Attach. When completed, an "upload successful" message appears.
Click the Download link next to an attachments to show the names of all files attached to the ticket.
When tickets have been created for all outstanding report items under user review, the report can then be sent to Tenable™ for ASV review.
Before a report can be submitted for review, the customer must fill in contact information and agree to an attestation that includes mandatory text as described in the ASV Program Guide.
If a customer neglects to address any outstanding item for a particular scan before the report is submitted for ASV review, they are prompted to ensure a ticket has been created for each item. Any report with outstanding items that have not been addressed by the customer cannot be submitted for review.
When a report is successfully submitted, the status of the report changes from Under User Review to Under Admin Review. Additionally, the Submit option is disabled to prevent the submission of duplicate items or reports.
Caution: The Withdraw function is only available once a report has been submitted for review. Withdrawing a ticket causes the item in question to be flagged as unresolved due to having inconclusive evidence and the report as a whole is deemed as non-compliant.
If a Tenable™ staff member requests more information, or if any other user action is required by the customer for a ticket, an indicator appears in the List of Reports.
The ticket can then be amended by the user and resubmitted to Tenable Network Security for further review.
Once a scan report has earned compliance status, customers can view reports in Attestation Report, Executive Report, or Detailed Report formats. An ASV Feedback Form is also provided to the customer. Click the Download icon next to a report to access these options.
The Attestation Report, Executive Report, and Details Report are only available in PDF format.
On the web-based interface, click a report name and then select the host name to view a list of items pertaining to the selected report.