Submit an Attestation for ASV Review

Required User Role: Administrator and Custom Role

Before you begin:

Caution: Assessors can only review submitted attestations while your subscription is active. This means that if your subscription expires during the normal review period, Tenable cannot complete your report. You must renew your Tenable PCI ASV subscription, at which time Tenable can continue reviewing your attestation.

To submit an attestation for ASV review:

  1. Access the Tenable PCI ASV Workbench.

  2. Click the In Remediation tab.

    A table of your attestation requests appears.

  3. Click the attestation you want to submit for ASV review.

    The Attestation Details page appears.

  4. (Optional) To update the name of the attestation, in the General Information tab, in the Name box, type a new name.
  5. (Optional) To update the owner of the attestation, in the General Information tab, in the Owner drop-down box, select the owner you want to assign to the attestation.
  6. Do one of the following:
    • Fix any undisputed failures before submitting the attestation:
      1. On the Undisputed Failures tab, create a dispute for each failure.
      2. Click Submit to ASV Review.
    • Submit the attestation with known failures.

      Note: You may want to submit an attestation with undisputed failures if you need guidance on handling these failures, or if you need to obtain an initial attestation with a list of identified failures.

      Caution: If you submit an attestation that has undisputed failures to ASV for review, the ASV reviewer must fail the attestation.

      1. Click Submit to ASV Review.

        The Submit for ASV Review panel appears.

      2. In the Select the reason for submitting this scan drop-down, select the reason you want to submit the scan with known failures.

      3. In the Comments box, provide any additional information on why you want to submit the scan with known failures.

      4. Click Submit Scan.

    The Attestation Detail page appears.

  7. In the Attestation Agreement section, carefully read the terms of the attestation agreement.
  8. Click Attest.

    An Attestation Successfully Submitted for ASV Review success notification appears, and Tenable PCI ASV adds the attestation to the Attestations tab.

    After the ASV review completes the review, the attestation appears under the In ASV Review tab. If the attestation passed, the status is set to Passed and if the attestation failed, the status is set to Failed in the row.

    Note: Once your attestation moves to the In ASV Review or Attestations tab, the attestation is read-only. You cannot make additional changes to the attestation unless an ASV reviewer initiates an information request.

    Tip: After you create your first attestation request, the New Attestation screen automatically populates the above fields with your previously entered information in each subsequent attestation request.

What to do next:

  • The ASV assessment team aims to provide a passed or failed attestation within 45 days of the submission date.

  • If the ASV reviewer requests additional information about your disputed failures, respond to the request. For more information, see Respond to an ASV Review Information Request.
  • Download any completed attestation reports from the Attestations tab.
  • Tenable advises that you submit an ASV scan 30 days before any compliance deadlines to ensure there is enough time to complete the review process.

    You can submit as many scans as needed, but ensure that you can properly dispute any risks presented as PCI failures and provide enough time to respond to requests for additional information from the ASV reviewer. For more information, see the Tenable blog Understanding PCI DSS Scanning Requirements.