Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PCI ASV External FAQ

Try Tenable Vulnerability Management

Run your first scan in under 60 seconds.

Try Now

PCI ASV

What is PCI ASV?

PCI ASV refers to requirement 11.2.2 of the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures that requires quarterly external vulnerability scans, which must be performed (or attested to) by an Approved Scanning Vendor (ASV). An ASV is an organization with a set of services and tools (“ASV Scanning Solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.

What systems are in scope for ASV Scanning?

The PCI DSS requires vulnerability scanning of all externally accessible (internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment, as well as any externally facing system component that provides a path to the cardholder data environment.

What is the ASV process?

The main phases of ASV scanning consist of:

  • Scoping: performed by the customer to include all internet-facing system components that are part of the cardholder data environment.
  • Scanning: using the specified Tenable Vulnerability Management PCI and WAS templates. Multiple Cardholder Data Environment (CDE) sections can be scanned individually.
  • Merge multiple scans into a single attestation
  • Reporting/remediation: results from interim reports are remediated.
  • Dispute Resolution: Customer and ASV (Tenable) work together to document and resolve disputed scan results.
  • Rescan (as needed): until a passing scan that resolves disputes and exceptions is generated.
  • Merge multiple scans into a single attestation
  • Final Reporting: submitted and delivered in a secure fashion.

How frequently are ASV scans required?

ASV Vulnerability scans are required at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall-rule modifications, or product upgrades.

How is an Approved Scanning Vendor (ASV) different from a Qualified Security Assessor (QSA)?

An ASV specifically performs only the external vulnerability scans described in PCI DSS 11.2. A QSA refers to an assessor company that has been qualified and trained by PCI Security Standards Council (SSC) to perform general PCI DSS on-site assessments.

Is Tenable a certified PCI ASV?

Yes. Tenable is qualified as an Approved Scanning Vendor (ASV) to validate external vulnerability scans of internet facing environments (used to store, process, or transmit cardholder data) of merchants and service providers. The ASV qualification process consists of three parts: the first involves the qualification of Tenable Network Security as a vendor. The second relates to the qualification of Tenable’s employees responsible for the remote PCI Scanning Services. The third consists of the security testing of Tenable’s remote scanning solution (Tenable Vulnerability Management and Tenable PCI ASV).

As an Approved Scanning Vendor (ASV), does Tenable actually perform the scans?

ASVs may perform the scans. However, Tenable relies on customers to conduct their own scans using the PCI Quarterly External Scan template. This template prevents customers from changing configuration settings, such as disabling vulnerability checks, assigning severity levels, altering scan paraments, etc.. Customers use Tenable Vulnerability Management cloud-based scanners to scan their internet facing environments and then submit compliant scan reports to Tenable for attestation. Tenable attests the scan reports, and then the customer submits them to their acquirers or payment brands as directed by the payment brands.

Data Sovereignty

Does Tenable PCI ASV comply with EU data sovereignty requirements?

Vulnerability data is not EU DPD 95/46/EC data, so any data residency requirements would be customer, not regulatory driven. EU state governmental organizations could have their own data residency requirements, but those would have to be assessed on a case-by-case basis and probably not an issue for PCI-ASV scans.


Tenable Vulnerability Management ASV Pricing/Licensing/Ordering

Does Tenable Vulnerability Management include any PCI ASV licenses?

Yes, Tenable Vulnerability Management includes a PCI ASV license for a single, unique PCI asset. Some organizations have taken great pains to limit the assets in scope for PCI, often by outsourcing payment processing functions. Because these customers are arguably "not in the PCI business", Tenable has simplified their purchasing and licensing. A customer can change their asset every 90 days.

How is Tenable PCI ASV licensed?

For customers having more than a single, unique PCI asset, the Tenable PCI ASV solution is licensed as an add-on to Tenable Vulnerability Management subscriptions.

Why isn’t Tenable PCI ASV licensed according to the number of a customer’s internet-facing PCI assets?

The number of internet-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE) can change frequently, thereby creating licensing complexity. Tenable elected to use a simpler licensing approach.

How many attestations may a customer submit per quarter?

Customers can submit an unlimited number of quarterly attestations.

Are Trial/Evaluation customers eligible to evaluate Tenable PCI ASV?

Yes. An evaluation customer can use the PCI Quarterly External Scan template to scan assets and review results. However, they cannot submit the scan reports for attestation.

How will existing Tenable Vulnerability Management customers transition to the new capability?

The new capability will be activated automatically on July 24, 2017 so customers will be able to use it for their next PCI ASV scan. Existing customers will not need to license the new PCI ASV capability for a minimum of one year.

How will SecurityCenter customers that have licensed the current PCI ASV capability transition to the new capability?

SecurityCenter® customers that have already licensed External/PCI Scanning will start using Tenable PCI ASV after it becomes available. At renewal, those customers can simply renew using their existing SKUs. However, it may be to their advantage to license Tenable PCI ASV instead.

Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try for Free Buy Now

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try for Free Buy Now

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training