Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PCI ASV External FAQ

Try Tenable.io Vulnerability Management

Run your first scan in under 60 seconds.

Try Now

PCI ASV

What is PCI ASV?

PCI ASV refers to requirement 11.2.2 of the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures that requires quarterly external vulnerability scans, which must be performed (or attested to) by an Approved Scanning Vendor (ASV). An ASV is an organization with a set of services and tools (“ASV Scanning Solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.

What systems are in scope for ASV Scanning?

The PCI DSS requires vulnerability scanning of all externally accessible (internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment, as well as any externally facing system component that provides a path to the cardholder data environment.

What is the ASV process?

The main phases of ASV scanning consist of:

  • Scoping: performed by the customer to include all internet-facing system components that are part of the cardholder data environment.
  • Scanning: using the Tenable.io VM PCI Quarterly External Scan template
  • Reporting/remediation: results from interim reports are remediated.
  • Dispute Resolution: Customer and ASV work together to document and resolve disputed scan results.
  • Rescan (as needed): until a passing scan that resolves disputes and exceptions is generated.
  • Final Reporting: submitted and delivered in a secure fashion.

How frequently are ASV scans required?

ASV Vulnerability scans are required at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall-rule modifications, or product upgrades.

How is an Approved Scanning Vendor (ASV) different from a Qualified Security Assessor (QSA)?

An ASV specifically performs only the external vulnerability scans described in PCI DSS 11.2. A QSA refers to an assessor company that has been qualified and trained by PCI Security Standards Council (SSC) to perform general PCI DSS on-site assessments.


Tenable.IO PCI ASV Solution Capabilities

Is Tenable a certified PCI ASV?

Yes. Tenable is qualified as an Approved Scanning Vendor (ASV) to validate external vulnerability scans of internet facing environments (used to store, process, or transmit cardholder data) of merchants and service providers. The ASV qualification process consists of three parts: the first involves the qualification of Tenable Network Security as a vendor. The second relates to the qualification of Tenable’s employees responsible for the remote PCI Scanning Services. The third consists of the security testing of Tenable’s remote scanning solution (Tenable.io Vulnerability Management and Tenable.io PCI ASV).

As an Approved Scanning Vendor (ASV), does Tenable actually perform the scans?

ASVs may perform the scans. However, Tenable relies on customers to conduct their own scans using the PCI Quarterly External Scan template. This template prevents customers from changing configuration settings, such as disabling vulnerability checks, assigning severity levels, altering scan paraments, etc.. Customers use Tenable.io VM cloud-based scanners to scan their internet facing environments and then submit compliant scan reports to Tenable for attestation. Tenable attests the scan reports, and then the customer submits them to their acquirers or payment brands as directed by the payment brands.

How is the new product different than the existing product?

New or improved capabilities include:

  • A single UI for users to scan/manage/submit/complete the ASV attestation process.
  • Ability for more than one person to file disputes and submit for ASV certification.
  • Ability to apply the same disputes/exceptions to multiple IPs. (Ability to create disputes based on plugins instead of by asset)
  • Ability to mark an IP as out-of-scope
  • Ability to annotate compensating controls

Data Sovereignty

Does Tenable.io PCI ASV comply with EU data sovereignty requirements?

Vulnerability data is not EU DPD 95/46/EC data, so any data residency requirements would be customer, not regulatory driven. EU state governmental organizations could have their own data residency requirements, but those would have to be assessed on a case-by-case basis and probably not an issue for PCI-ASV scans.


Tenable.io ASV Pricing/Licensing/Ordering

Does Tenable.io VM include any PCI ASV licenses?

Yes, Tenable.io VM includes a PCI ASV license for a single, unique PCI asset. Some organizations have taken great pains to limit the assets in scope for PCI, often by outsourcing payment processing functions. Because these customers are arguably "not in the PCI business", Tenable has simplified their purchasing and licensing. A customer can change their asset every 90 days.

How is Tenable.io PCI ASV licensed?

For customers having more than a single, unique PCI asset, the Tenable.io PCI ASV solution is licensed as an add-on to Tenable.io Vulnerability Management subscriptions.

Why isn’t Tenable.io PCI ASV licensed according to the number of a customer’s internet-facing PCI assets?

The number of internet-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE) can change frequently, thereby creating licensing complexity. Tenable elected to use a simpler licensing approach.

How many attestations may a customer submit per quarter?

Customers can submit an unlimited number of quarterly attestations.

Are Trial/Evaluation customers eligible to evaluate Tenable.io PCI ASV?

Yes. evaluation customer can use the PCI Quarterly External Scan template to scan assets, review results, and created disputes. However, they cannot submit scan reports for attestation.

How will existing Tenable.io VM customers transition to the new capability?

The new capability will be activated automatically on July 24, 2017 so customers will be able to use it for their next PCI ASV scan. Existing customers will not need to license the new PCI ASV capability for a minimum of one year.

How will SecurityCenter customers that have licensed the current PCI ASV capability transition to the new capability?

SecurityCenter® customers that have already licensed External/PCI Scanning will start using Tenable.io PCI ASV after it becomes available. At renewal, those customers can simply renew using their existing SKUs. However, it may be to their advantage to license Tenable.io PCI ASV instead.