PCI ASV Scans (Classic Interface)

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Tip: This topic describes PCI ASV scans in the classic interface. For information about the new interface, see PCI ASV Scanning Overview.

Credit card industry standards dictate that companies whose networks process payment card transactions must scan those networks for Payment Card Industry Data Security Standards (PCI DSS) compliance at regular intervals. Additionally, these companies must submit their scan results to a third-party Approved Scanning Vendor (ASV) for review.

Tenable.ioPCI ASV scan templates allow you take comprehensive scans of your networks so you can identify and address vulnerabilities and ensure your organization complies with PCI DSS.

Tenable is also a licensed ASV reviewer, providing the external scanning and validation that PCI Security Standards require.

The Tenable.io PCI ASV process strictly follows PCI Compliance Guidelines, ensuring that vulnerabilities do not exist for more than 90 days on any networks that involve payment card transactions.

Video: PCI ASV High Level Workflow in Tenable.io

To prepare for a PCI ASV review:

  1. Work with your organization to determine what assets in your cardholder data environment (CDE) are in scope for PCI/ASV scanning and review.
  2. Create a scan with the PCI Quarterly External Scan template.

    Note: Because the PCI Quarterly External scan is more paranoid than standard scans and may lead to false positives, your PCI scan data is intentionally excluded from your overall Tenable.io scan data.

    Note: Because PCI ASV scans using the PCI Quarterly External Scan template have their own set of rules, any recast rules do not apply to the scan results.

    Note: PCI DSS requires organizations to complete quarterly internal network scans, so you may also need to create a scan using the PCI Internal Network Scan template. However, you do not need to submit the internal network scan results for ASV review and validation.

  3. If your organization's assets include web applications that are in scope for the PCI/ASV review, create a scan using the PCI WAS Scan template."

    Note: The PCI WAS Scan template is available only in the classic Tenable.io interface.

  4. Launch the scan.

    Note: Since a clean scan substantially increases your chances to pass the ASV certification review, Tenable recommends that you launch the PCI ASV scan as many times as is needed to get the cleanest scan possible.

  5. Submit the scan to the PCI ASV workbench.

  6. Create an attestation request draft. As you create the draft, you may need to do one or both of the following:

    • If your scan results include assets that are irrelevant to the attestation, mark each irrelevant asset out of scope.
    • If the scan results include any failures, create a dispute for each failure.

      Note: If you leave any failures undisputed when you submit your attestation for review, the ASV reviewer must fail the attestation.

  7. After you have addressed all the failures, submit the scan attestation for ASV review.