PCI ASV Scanning Overview

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Tip: This topic describes PCI ASV scans in the new interface. For information about the classic interface, see PCI ASV Scans (Classic Interface).

Credit card industry standards dictate that companies whose networks process payment card transactions must scan those networks for Payment Card Industry Data Security Standards (PCI DSS) compliance at regular intervals. Additionally, these companies must submit their scan results to a third-party Approved Scanning Vendor (ASV) for review.

Tenable.io PCI ASV scan templates allow you take comprehensive scans of your networks so you can identify and address vulnerabilities and ensure your organization complies with PCI DSS.

Tenable is also a licensed ASV reviewer, providing the external scanning and validation that PCI Security Standards require.

The Tenable.io PCI ASV process strictly follows PCI Compliance Guidelines, ensuring that vulnerabilities do not exist for more than 90 days on any networks that involve payment card transactions.

For a demonstration on PCI ASV Scanning, see the following video:

To prepare for a PCI ASV review:

  1. Work with your organization to determine what assets in your cardholder data environment (CDE) are in scope for PCI/ASV scanning and review.
  2. Create the following scans:

    • Create a scan with the PCI Quarterly External Scan template.

    • Create a Web Application scan using the PCI template. This scan should be run on payment pages, web application pages, or any pages that can be seen as entry into the CDE or that may contain Card Holder Data (CHD).

    Note: PCI scan data is intentionally excluded from dashboards, reports, and workbenches. This is due to the scan's paranoid nature, which may lead to false positives that would otherwise not be detected.

    Note: Because PCI ASV scans using the PCI Quarterly External Scan and PCI template have their own set of rules, any recast rules do not apply to the scan results.

    Note: PCI DSS requires organizations to complete quarterly internal network scans, so you may also need to create a scan using the PCI Internal Network Scan template. However, you do not need to submit the internal network scan results for ASV review and validation.

  3. Launch the scan.

    Note: Since a clean scan substantially increases your chances to pass the ASV certification review, Tenable recommends that you launch the PCI ASV scan as many times as is needed to get the cleanest scan possible.

  4. Submit the scan to the PCI ASV dashboard.
  5. Create an attestation request draft. As you create the draft, you may need to do one or both of the following:

    • If your scan results include assets that are irrelevant to the attestation, mark each irrelevant asset out of scope.
    • If the scan results include any failures, create a dispute for each failure.

      Note: If you leave any failures undisputed when you submit your attestation for review, the ASV reviewer must fail the attestation.

  6. After you have addressed all the failures, submit the scan attestation for ASV review.