PCI ASV External FAQ
Try Tenable.io Vulnerability Management
Run your first scan in under 60 seconds.
What is PCI ASV?
PCI ASV refers to requirement 11.2.2 of the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures that requires quarterly external vulnerability scans, which must be performed (or attested to) by an Approved Scanning Vendor (ASV). An ASV is an organization with a set of services and tools (“ASV Scanning Solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.
What systems are in scope for ASV Scanning?
The PCI DSS requires vulnerability scanning of all externally accessible (internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment, as well as any externally facing system component that provides a path to the cardholder data environment.
What is the ASV process?
The main phases of ASV scanning consist of:
- Scoping: performed by the customer to include all internet-facing system components that are part of the cardholder data environment.
- Scanning: using the specified Tenable.io PCI and WAS templates. Multiple Cardholder Data Environment (CDE) sections can be scanned individually.
- Merge multiple scans into a single attestation
- Reporting/remediation: results from interim reports are remediated.
- Dispute Resolution: Customer and ASV (Tenable) work together to document and resolve disputed scan results.
- Rescan (as needed): until a passing scan that resolves disputes and exceptions is generated.
- Merge multiple scans into a single attestation
- Final Reporting: submitted and delivered in a secure fashion.
How frequently are ASV scans required?
ASV Vulnerability scans are required at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall-rule modifications, or product upgrades.
How is an Approved Scanning Vendor (ASV) different from a Qualified Security Assessor (QSA)?
An ASV specifically performs only the external vulnerability scans described in PCI DSS 11.2. A QSA refers to an assessor company that has been qualified and trained by PCI Security Standards Council (SSC) to perform general PCI DSS on-site assessments.
Is Tenable a certified PCI ASV?
Yes. Tenable is qualified as an Approved Scanning Vendor (ASV) to validate external vulnerability scans of internet facing environments (used to store, process, or transmit cardholder data) of merchants and service providers. The ASV qualification process consists of three parts: the first involves the qualification of Tenable Network Security as a vendor. The second relates to the qualification of Tenable’s employees responsible for the remote PCI Scanning Services. The third consists of the security testing of Tenable’s remote scanning solution (Tenable.io Vulnerability Management and Tenable.io PCI ASV).
As an Approved Scanning Vendor (ASV), does Tenable actually perform the scans?
Does Tenable.io PCI ASV comply with EU data sovereignty requirements?
Vulnerability data is not EU DPD 95/46/EC data, so any data residency requirements would be customer, not regulatory driven. EU state governmental organizations could have their own data residency requirements, but those would have to be assessed on a case-by-case basis and probably not an issue for PCI-ASV scans.
Tenable.io ASV Pricing/Licensing/Ordering
Does Tenable.io VM include any PCI ASV licenses?
Yes, Tenable.io VM includes a PCI ASV license for a single, unique PCI asset. Some organizations have taken great pains to limit the assets in scope for PCI, often by outsourcing payment processing functions. Because these customers are arguably "not in the PCI business", Tenable has simplified their purchasing and licensing. A customer can change their asset every 90 days.
How is Tenable.io PCI ASV licensed?
For customers having more than a single, unique PCI asset, the Tenable.io PCI ASV solution is licensed as an add-on to Tenable.io Vulnerability Management subscriptions.
Why isn’t Tenable.io PCI ASV licensed according to the number of a customer’s internet-facing PCI assets?
The number of internet-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE) can change frequently, thereby creating licensing complexity. Tenable elected to use a simpler licensing approach.
How many attestations may a customer submit per quarter?
Customers can submit an unlimited number of quarterly attestations.
Are Trial/Evaluation customers eligible to evaluate Tenable.io PCI ASV?
Yes. An evaluation customer can use the PCI Quarterly External Scan template to scan assets and review results. However, they cannot submit the scan reports for attestation.
How will existing Tenable.io VM customers transition to the new capability?
The new capability will be activated automatically on July 24, 2017 so customers will be able to use it for their next PCI ASV scan. Existing customers will not need to license the new PCI ASV capability for a minimum of one year.
How will SecurityCenter customers that have licensed the current PCI ASV capability transition to the new capability?
SecurityCenter® customers that have already licensed External/PCI Scanning will start using Tenable.io PCI ASV after it becomes available. At renewal, those customers can simply renew using their existing SKUs. However, it may be to their advantage to license Tenable.io PCI ASV instead.