Unofficial PCI ASV Validation Scan

Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain Data Security Standards (DSS) requirements by performing vulnerability scans of internet-facing environments of merchants and service providers.

Tenable, Inc. is a Payment Card Industry (PCI) ASV, and is certified to validate vulnerability scans of internet-facing systems for adherence to certain aspects of the PCI DSS and is a validated ASV solution.

Nessus Professional, Nessus Expert, and Nessus Manager feature two PCI-related scan templates: Internal PCI Network Scan and Unofficial PCI Quarterly External Scan.

Internal PCI Network Scan

This template creates scans that you can use to satisfy internal (PCI DSS 11.2.1) scanning requirements for ongoing vulnerability management programs that satisfy PCI compliance requirements. You can use these scans for ongoing vulnerability management and to perform rescans until passing or clean results are achieved. You can provide credentials to enumerate missing patches and client-side vulnerabilities.

Note: While the PCI DSS requires you to provide evidence of passing or "clean" scans on at least a quarterly basis, you must also perform scans after any significant changes to your network (PCI DSS 11.2.3).

Unofficial PCI Quarterly External Scan

The Unofficial PCI Quarterly External Scan template creates a scan that simulates an external scan (PCI DSS 11.2.2) performed by to meet PCI DSS quarterly scanning requirements. Although you cannot submit the results for validation, you can use them to see what official results might look like. Users that have external PCI scanning requirements should use this template in, which allows scanning unlimited times before submitting results to Tenable, Inc. for validation ( is a validated ASV solution).

For more information on performing and submitting an official PCI Quarterly External Scan, see the User Guide.

Submit Scan Results

Only customers can submit their PCI scan results to Tenable, Inc. for PCI ASV validation.

When you submit, Nessus uploads the scan results, which you can review from a PCI DSS perspective.