Mark an Asset as Out of Scope

Required User Role: Administrator and Custom Role

In a PCI ASV attestation, marking an asset as "out of scope" is a formal way of declaring that a specific IP address or component detected during a scan is not part of your Cardholder Data Environment (CDE) and does not have the potential to impact the security of cardholder data. Under PCI DSS requirements, you must scan all internet-facing assets. However, if your scan picks up infrastructure that is logically or physically isolated from your payment processes, you can exclude it to ensure your compliance report is accurate.

Before you begin:

• Create and launch your scan.
• Create an attestation request for your scan.

To mark an asset as out of scope:

1. Access the Tenable PCI ASV Workbench.

2. Click the In Remediation tab.

   A table of your attestation requests appears.

   

3. Click the attestation that has an asset you want to mark out of scope.

   The Attestation Details page appears.

4. Click the Assets tab.

   A table of assets associated with the attestation appears.

5. Select the check box next to the asset or assets you want to mark out of scope.

6. In the action bar, click the Mark as Out of Scope button.

   The Out Of Scope panel appears.

7. In the Message for Analyst text box, provide the reason for marking the asset as out of scope for the PCI analyst.

8. Click Save.

   Tenable PCI ASV removes the asset or assets from Tenable PCI ASV review scope.

What to do next:

• If your attestation request includes any undisputed failures, create a dispute for each failure.
• If your attestation request has no undisputed failures, submit the attestation request for ASV review.