PCI ASV External FAQ

PCI ASV refers to requirement 11.2.2 of the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures that requires quarterly external vulnerability scans, which must be performed (or attested to) by an Approved Scanning Vendor (ASV). An ASV is an organization with a set of services and tools (“ASV Scanning Solution”) to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.

The PCI DSS requires vulnerability scanning of all externally accessible (internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment, as well as any externally facing system component that provides a path to the cardholder data environment.

The main phases of ASV scanning consist of:

• Scoping: performed by the customer to include all internet-facing system components that are part of the cardholder data environment.
• Scanning: using the specified Tenable Vulnerability Management PCI and WAS templates. Multiple Cardholder Data Environment (CDE) sections can be scanned individually.
• Merge multiple scans into a single attestation
• Reporting/remediation: results from interim reports are remediated.
• Dispute Resolution: Customer and ASV (Tenable) work together to document and resolve disputed scan results.
• Rescan (as needed): until a passing scan that resolves disputes and exceptions is generated.
• Merge multiple scans into a single attestation
• Final Reporting: submitted and delivered in a secure fashion.

ASV Vulnerability scans are required at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall-rule modifications, or product upgrades.

An ASV specifically performs only the external vulnerability scans described in PCI DSS 11.2. A QSA refers to an assessor company that has been qualified and trained by PCI Security Standards Council (SSC) to perform general PCI DSS on-site assessments.

Yes. Tenable is qualified as an Approved Scanning Vendor (ASV) to validate external vulnerability scans of internet facing environments (used to store, process, or transmit cardholder data) of merchants and service providers. The ASV qualification process consists of three parts: the first involves the qualification of Tenable Network Security as a vendor. The second relates to the qualification of Tenable’s employees responsible for the remote PCI Scanning Services. The third consists of the security testing of Tenable’s remote scanning solution (Tenable Vulnerability Management and Tenable PCI ASV).

ASVs may perform the scans. However, Tenable relies on customers to conduct their own scans using the PCI Quarterly External Scan template. This template prevents customers from changing configuration settings, such as disabling vulnerability checks, assigning severity levels, altering scan paraments, etc.. Customers use Tenable Vulnerability Management cloud-based scanners to scan their internet facing environments and then submit compliant scan reports to Tenable for attestation. Tenable attests the scan reports, and then the customer submits them to their acquirers or payment brands as directed by the payment brands.

Vulnerability data is not EU DPD 95/46/EC data, so any data residency requirements would be customer, not regulatory driven. EU state governmental organizations could have their own data residency requirements, but those would have to be assessed on a case-by-case basis and probably not an issue for PCI-ASV scans.

Yes, Tenable Vulnerability Management includes a PCI ASV license for a single, unique PCI asset. Some organizations have taken great pains to limit the assets in scope for PCI, often by outsourcing payment processing functions. Because these customers are arguably "not in the PCI business", Tenable has simplified their purchasing and licensing. A customer can change their asset every 90 days.

For customers having more than a single, unique PCI asset, the Tenable PCI ASV solution is licensed as an add-on to Tenable Vulnerability Management subscriptions.

The number of internet-facing hosts that are within or provide a path to an entity’s cardholder data environment (CDE) can change frequently, thereby creating licensing complexity. Tenable elected to use a simpler licensing approach.

Customers can submit an unlimited number of quarterly attestations.

Yes. An evaluation customer can use the PCI Quarterly External Scan template to scan assets and review results. However, they cannot submit the scan reports for attestation.

The new capability will be activated automatically on July 24, 2017 so customers will be able to use it for their next PCI ASV scan. Existing customers will not need to license the new PCI ASV capability for a minimum of one year.

SecurityCenter® customers that have already licensed External/PCI Scanning will start using Tenable PCI ASV after it becomes available. At renewal, those customers can simply renew using their existing SKUs. However, it may be to their advantage to license Tenable PCI ASV instead.