Tenable PCI ASV Licensing

Legacy

The legacy Tenable PCI ASV licensing model consists of a “free” or trial functionality included with Tenable Vulnerability Management. This model is somewhat limited, including only a single asset every 90 days. Due to limitations, customers use the Tenable PCI ASV application mostly for testing and trials. Additionally, the primary Tenable PCI ASV SKU is sold separately.

New

The new Tenable PCI ASV SKUs are asset-based, necessitating that customers determine their PCI scope (encompassing both asset IP addresses and FQDNs) to purchase the appropriate volume of assets for PCI licensing. In contrast to Tenable Vulnerability Management and Tenable Web App Scanning, the methodology for counting assets under PCI is not a continuous, programmatic process, but rather a “moment in time” verification.

When the customer submits an attestation, the system verifies the number of assets included in the scan against the customer's purchased license count. If the scanned asset count is less than the licensed amount, the attestation submission is permitted. If the count exceeds the purchased license count, the attestation is blocked, and the customer is required either to designate assets as “out of scope” or to purchase additional licenses.

Note: Because Tenable licenses by unique IP address, when you select an asset in the PCI Workbench, Tenable PCI ASV automatically checks for other assets with the same IP address.

Tiers

The new licensing model for PCI consists of two tiers, PCI Standard and PCI Enterprise.

Tier Maximum Attestations Per Year Maximum Total SLA
PCI Standard 12 30 days
PCI Enterprise Unlimited 14 days

Each tier has its own SKU. While existing customers with a Tenable One or Tenable Vulnerability Management license can purchase the new PCI SKUs individually, new customers must purchase at least a basic Tenable Vulnerability Management license in addition to the new PCI SKUs.

Using the New Licensing Model

When using the new licensing model, keep the following in mind:

  • You must purchase a specific number of assets for PCI use:

    • Determine the number of “in-scope” assets for PCI scanning. Tenable PCI ASV checks this number against the number of assets submitted in an attestation. If the number of assets within the attestation exceeds the asset limit, the attestation is automatically rejected.

  • You must determine the number of attestations you wish to submit and your SLA requirements to decide which tier is right for your business needs.

  • A new PCI Licensing tab on the PCI Workbench gives you added visibility into your license type, attestations submitted to date, as well as the number of assets in each attestation.

    Note: New features, including the PCI Licensing tab and SLA implementation are only available for customers on the new licensing model. These features are noted throughout this user guide.

To purchase or upgrade to the new Tenable PCI ASV licensing model, contact your Tenable representative.

PCI Asset Licensing / Sizing

Determining the number of assets to license for PCI DSS compliance can be tricky because "PCI Scope" (what the auditor looks at) and "Licensing Scope" (what you need to buy to be safe) often differ.

We generally advise customers to over-estimate their asset count during the purchasing phase because PCI DSS Requirement 11 mandates that you must scan not just the systems holding the data, but also any system connected to them.

Important! Unlike Tenable Vulnerability Management or other Tenable products, the PCI license check occurs at the time of attestation submission. The number of unique IP addresses in the scan is compared to the purchased licensed count. If the number of assets exceeds licensed assets, the attestation is blocked.

The following documentation highlights how each specific vendor guides customers to determine the proper number of assets to purchase.

Product Evaluation

The simplest way to determine the number of assets you need is to request an evaluation of PCI and run a scan on your environment. This will allow you to use the product in your actual environment.

Note: For the purposes of licensing, all FQDNs/WebApps are resolved to unique IP addresses and counted at the time of attestation submission. Only unique IP addresses count for PCI licensing.

Tenable PCI and Related Applications

Tenable has distinct modules that are related to PCI (Tenable Vulnerability Management (TVM) for internal, Tenable PCI ASV for external, and Tenable Web App Scanning for web apps). Therefore, customers should calculate their asset scope separately for each module.

External Scanning (PCI ASV)

  • How to Count: The PCI SSC requires you to buy licenses for every single public-facing IP address owned by the entity, not just the ones handling credit cards.

  • The Logic: If you have a public IP that isn't in your scan, an auditor will ask you to prove it is completely segmented from your cardholder data. Since this is hard to prove without scanning it, Tenable advises purchasing coverage for your entire external IP range.

  • Guidance: Count all live public IP addresses in your network block. PCI licensing is based on unique IP addresses. All FQDNs/web apps scanned by the WAS PCI scanner will be resolved to IP addresses.

Internal Scanning (TVM)

As stated in the PCI-DSS requirements, you must perform internal scans on your environment. Tenable PCI customers are required to own a full Tenable Vulnerability Management license as part of their Tenable PCI ASV license.

  • How to Count: Tenable advises counting all assets in the CDE (Cardholder Data Environment) + Connected-to Systems + Shared Services.

    Note: If a server (like Active Directory, DNS, or a Backup Server) services the PCI environment, it is in scope.

  • Guidance:

    • Count all servers/workstations explicitly handling credit card data.

    • Count all routers/firewalls securing those segments.

    • Count all infrastructure servers (AD, NTP, DNS) that the CDE talks to.

    • Add a 10-20% buffer: We recommend a buffer because modern environments (especially virtual/cloud) spin up new assets dynamically. Adding a buffer can help ensure you don't run out of licenses mid-audit.

Web Application Scanning (WAS)

Tenable PCI ASV includes both a Nessus and WAS scanner with the specific scan templates needed for PCI certification. However, the WAS PCI scan template only provides the minimal requirements for PCI web apps.

Note: Tenable highly recommends that you purchase a Tenable Web App Scanning license in addition to the Tenable PCI ASV licensing to fully scan and monitor all web applications.

  • How to Count: Tenable licenses web applications by the number of FQDNs (Fully Qualified Domain Names).

  • Guidance: Any web application that accepts payments or can impact the security of payment pages is in scope for PCI. While the PCI WAS scan suffices for certification, the full Tenable Web App Scanning product provides the most holistic scanning for your web applications.

Licensing Comparison Summary

Feature Guidance
Primary Metric IP Address (Internal) & URL (Web Apps)
External Scope Buy for ALL public-facing IPs
Internal Scope CDE + Connected Systems + Shared Services (AD/DNS)
Segmentation Scan the CDE and the firewall protecting it
Web Apps Count FQDNs/WebApps

Practical Recommendation

When preparing a budget, count all IP addresses and add 20% for a buffer.

Note: Active Directory Domain Controllers are in-scope if they authenticate any user who can access the CDE. Since many companies use one central AD, this often forces customers to license their entire Domain Controller fleet, significantly increasing the PCI asset count.