0

Question is in the title. I can't seem to find a straight answer and Tenable seem to be dodging a yes/no answer on their website. I was told a few years ago that Qualys was approved by PCI for PCI compliance, and that Nessus at the time was not. Has this changed?

Juicy
  • 1,407
  • 4
  • 16
  • 31

2 Answers2

4

11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

For internal scans you could use Nessus as long as you have documented procedures and the personnel are "qualified."

11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

For external scans, the scanning must be performed by an approved scanning vendor (ASV). You can find the list of ASVs at https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors. In that case Nessus would not be usable by your own organization, as an ASV must be a third party.

John Downey
  • 1,915
  • 13
  • 12
  • So I understand that external scanning must be done by an approved ASV, but can the ASV use Nessus Professional? Do you know where I can find the PCI guidelines that need to be followed by ASVs, in particular with regards to scanning tools they are allowed to used. – Juicy Aug 11 '16 at 11:51
  • 1
    @Juicy - Many ASVs do use Nessus. I think they need to do a bit of additional work beyond Nessus to do a compliant ASV scan. Certainly a few years back you did, but that could have changed. – paj28 Aug 11 '16 at 12:00
  • 1
    ASVs are allowed to use whatever they want. However, they must [go through a qualification exam](https://www.pcisecuritystandards.org/assessors_and_solutions/become_asv) for their solution that meets certain requirements. It is certainly possible that Nessus would be part of their solution but many develop their own scanners. – John Downey Aug 11 '16 at 13:25
1

These tools are simply scanning tools, not penetration testing tools, either can help you with your compliance process, but both require manual follow up to check for false positives and negatives, impact assessment etc. So I'm not 100% certain what you mean by "approved for PCI scans."

Tenable certainly do offer ASV scanning as part of their product set, which seems a fairly straightforward statement that you can use Nessus as part of your PCI testing.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320