Get Started with Tenable PCI ASV Scanning
The following feature is not supported in Tenable Vulnerability Management Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.
To prepare for a Tenable PCI ASV review:
- Work with your organization to determine what assets in your cardholder data environment (CDE) are in scope for Tenable PCI ASV scanning and review.
A Tenable PCI ASV scan with the PCI Quarterly External Scan template.
- A Tenable Web App Scanning using the PCI template. This scan should be run on payment pages, web application pages, or any pages that can be seen as entry into the CDE or that may contain Card Holder Data (CHD).
Note: PCI scan data is intentionally excluded from dashboards, reports, and workbenches. This is due to the scan's paranoid nature, which may lead to false positives that would otherwise not be detected.
Note: Because Tenable PCI ASV scans using the PCI Quarterly External Scan and PCI template have their own set of rules, any recast rules do not apply to the scan results.
Note: PCI DSS requires organizations to complete quarterly internal network scans, so you may also need to create a scan using the PCI Internal Network Scan template. However, you do not need to submit the internal network scan results for ASV review and validation.
Note: Since a clean scan substantially increases your chances to pass the ASV certification review, Tenable recommends that you launch the Tenable PCI ASV scan as many times as is needed to get the cleanest scan possible.
- Submit a Scan for PCI Validation.
Create an attestation request draft. As you create the draft, you may need to do one or both of the following:
- If your scan results include assets that are irrelevant to the attestation, mark each irrelevant asset out of scope.
If the scan results include any failures, create a dispute for each failure.
Note: If you leave any failures undisputed when you submit your attestation for review, the ASV reviewer must fail the attestation.
- After you have addressed all the failures, submit the scan attestation for ASV review.