Get Started with PCI ASV Scanning
The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.
Tip: This topic describes PCI ASV scans in the new interface. For information about the classic interface, see PCI ASV Scans (Classic Interface).
To prepare for a PCI ASV review:
- Work with your organization to determine what assets in your cardholder data environment (CDE) are in scope for PCI/ASV scanning and review.
Create the following scans:
Create a scan with the PCI Quarterly External Scan template.
- Create a Web Application scan using the PCI template. This scan should be run on payment pages, web application pages, or any pages that can be seen as entry into the CDE or that may contain Card Holder Data (CHD).
Note: PCI scan data is intentionally excluded from dashboards, reports, and workbenches. This is due to the scan's paranoid nature, which may lead to false positives that would otherwise not be detected.
Note: Because PCI ASV scans using the PCI Quarterly External Scan and PCI template have their own set of rules, any recast rules do not apply to the scan results.
Note: PCI DSS requires organizations to complete quarterly internal network scans, so you may also need to create a scan using the PCI Internal Network Scan template. However, you do not need to submit the internal network scan results for ASV review and validation.
Launch the scan.
Note: Since a clean scan substantially increases your chances to pass the ASV certification review, Tenable recommends that you launch the PCI ASV scan as many times as is needed to get the cleanest scan possible.
- Submit the scan to the PCI ASV dashboard.
Create an attestation request draft. As you create the draft, you may need to do one or both of the following:
- If your scan results include assets that are irrelevant to the attestation, mark each irrelevant asset out of scope.
If the scan results include any failures, create a dispute for each failure.
Note: If you leave any failures undisputed when you submit your attestation for review, the ASV reviewer must fail the attestation.
- After you have addressed all the failures, submit the scan attestation for ASV review.