Submit an Attestation for ASV Review

Required User Role: Administrator and Custom Role

Before you begin:

Caution: Assessors can only review submitted attestations while your subscription is active. This means that if your subscription expires during the normal review period, Tenable cannot complete your report. You must renew your Tenable PCI ASV subscription, at which time Tenable can continue reviewing your attestation.

To submit an attestation for ASV review:

  1. Access the Tenable PCI ASV Workbench.

  2. Click the In Remediation tab.

    A table of your attestation requests appears.

  3. Click the attestation you want to submit for ASV review.

    The Attestation Details page appears.

  4. (Optional) To update the name of the attestation, in the General Information tab, in the Name box, type a new name.
  5. (Optional) To update the owner of the attestation, in the General Information tab, in the Owner drop-down box, select the owner you want to assign to the attestation.
  6. Do one of the following:
    • Fix any undisputed failures before submitting the attestation:
      1. On the Undisputed Failures tab, create a dispute for each failure.
      2. Click Submit to ASV Review.
    • Submit the attestation with known failures.

      Note: You may want to submit an attestation with undisputed failures if you need guidance on handling these failures, or if you need to obtain an initial attestation with a list of identified failures.

      Caution: If you submit an attestation that has undisputed failures to ASV for review, the ASV reviewer must fail the attestation.

      1. Click Submit to ASV Review.

        The Submit for ASV Review panel appears.

      2. In the Select the reason for submitting this scan drop-down, select the reason you want to submit the scan with known failures.

      3. In the Comments box, provide any additional information on why you want to submit the scan with known failures.

      4. Click Submit Scan.

    The Attestation Detail page appears.

    1. In the Contact Name box, type a contact for the attestation.
    2. In the Email box, type an email for the attestation contact.
    3. In the Phone box, type a phone number for the attestation contact.
    4. In the Job Title box, type a job title for the attestation contact.
    5. In the Company box, type the company where the attestation contact works.
    6. In the Web URL box, type the URL for the company's website.
    7. In the Address Line 1 box, type the address of the company.
    8. (Optional) In the Address Line 2 box, type any additional address information for the company, such as a suite number or floor number.
    9. In the City box, type the city where the company is located.
    10. In the State / Province / Region box, type the state, province, or region where the company is located.
    11. In the Zip / Postal Code box, type the zip code for the company's address.
    12. (Optional) To add the country where the company is located, in the Country box, type the country.
  8. In the Attestation Agreement section, carefully read the terms of the attestation agreement.

  9. Click Attest.

    An Attestation Successfully Submitted for ASV Review success notification appears, and Tenable PCI ASV adds the attestation to the Attestations tab.

    After the ASV review completes the review, the attestation appears under the In ASV Review tab. If the attestation passed, the status is set to Passed and if the attestation failed, the status is set to Failed in the row.

    Note: Once your attestation moves to the In ASV Review or Attestations tab, the attestation is read-only. You cannot make additional changes to the attestation unless an ASV reviewer initiates an information request.

    Tip: After you create your first attestation request, the New Attestation screen automatically populates the above fields with your previously entered information in each subsequent attestation request.

What to do next:

  • The ASV assessment team aims to provide a passed or failed attestation within 45 days of the submission date.

    Attestations get assigned within 14 business days of submission (with the exception of holidays). Once a report is assigned, it may take an additional 14 business days for the attestation to be In-Review. Once an attestation is In-Review, an assessor is actively reviewing the disputes. The completion and generation of the final reports for an In-Review attestation depends upon the number of disputes in the report and the responsiveness of a scan customer during this phase. If any disputes are questionable, an information request is provided by the assessor within 48 business hours. Once a scan customer has sufficiently answered all information requests, the report can be finalized and ready for export within 24 business hours.

  • If the ASV reviewer requests additional information about your disputed failures, respond to the request. For more information, see Respond to an ASV Review Information Request.
  • Download any completed attestation reports from the Attestations tab.

  • Tenable advises that you submit an ASV scan 30 days before any compliance deadlines to ensure there is enough time to complete the review process.

    You can submit as many scans as needed, but ensure that you can properly dispute any risks presented as PCI failures and provide enough time to respond to requests for additional information from the ASV reviewer. For more information, see the Tenable blog Understanding PCI DSS Scanning Requirements.