PCI DSS 12.3.3 · CycloneDX 1.6

Every cipher suite you run, documented for your auditor.

PCI DSS 4.0.1 Requirement 12.3.3 has mandated a documented, annually-reviewed inventory of your cryptographic cipher suites and protocols since March 2025. CipherM scans your code, configs, and live TLS and produces it — as a CycloneDX CBOM your QSA accepts.

Book a Rapid Assessment Run the open-source scan

Future-proof, too: the same inventory flags every RSA/ECDSA asset for the post-quantum migration. See the Threat Clock →

7 languages 104 detection rules QSA-ready CBOM
Findings, top 100 OSS14,829
237 critical · 4,118 high
RSA-2048 → ML-KEM-768
ECDSA P-256 → ML-DSA-65
SHA-1 → SHA-3-384
PCI DSS 4.0.1 · Requirement 12.3.3

Your assessor will ask for a cryptographic inventory. Most teams don’t have one.

12.3.3 requires you to document every cipher suite and protocol in use, review it at least annually, and track anything deprecated — in effect since 31 March 2025. The usual answer is a stale spreadsheet stitched together by hand before each assessment. CipherM generates the artifact from your actual code, configs, and live endpoints, so the inventory is real and current.

What 12.3.3 requires
Inventory

Every cipher suite, protocol, and key — mapped.

104 rules across 7 languages and configs detect your TLS versions, cipher suites, certificates, hashing, and key sizes — the exact assets 12.3.3 asks you to document. Classical and post-quantum (ML-KEM, ML-DSA, hybrid TLS) in one pass.

Attest

A QSA-ready inventory. In one command.

CycloneDX 1.6 — the SBOM industry standard — mapped to PCI DSS 12.3.3, plus NIST SP 800-208, CNSA 2.0, and eIDAS 2.0 for your post-quantum roadmap.

cipherm-scan

Open-source CLI. Walk a repo and its configs, emit a CycloneDX 1.6 CBOM — your documented cryptographic inventory. 104 rules across 7 languages.

TLS cipher check

Point cipherm-tls at any host and see exactly which TLS versions and cipher suites it negotiates — the live half of your 12.3.3 inventory.

Audit pack

Export a QSA-ready pack: every cipher suite and protocol mapped to PCI DSS 12.3.3, with deprecation notes and a remediation plan.

Threat Clock

Future-proof angle: live CRQC proximity by year (Mosca 2024, Gidney-Ekerå) so your inventory doubles as a post-quantum migration plan.

By the numbers

Built on standards, not buzzwords.

104Detection rules
7Languages + configs
8Standards mapped
1.6CycloneDX spec

12.3.3 inventory item

kms.us-east-1.amazonaws.com negotiates classical X25519 over TLS 1.3 — documented, dated, and flagged for review.

cipherm-tls live check

Mapped to the standard

Each finding carries its PCI DSS 12.3.3 reference plus NIST/CNSA mapping — the artifact a QSA signs off.

CycloneDX 1.6 CBOM

Future-proof

P(CRQC by 2035) ≈ 0.55 — anchored on the Global Risk Institute Quantum Threat Timeline, Mosca 2024 update.

docs/threat-clock.json

For security & compliance teams

Need a crypto inventory your auditor accepts?

Our Rapid Assessment is a fixed two-week sprint: we scan your source and config, review your TLS, certificate, and key posture by hand, and hand you a CycloneDX CBOM plus an audit-ready pack mapped to PCI DSS 12.3.3 — the documented inventory your QSA asks for.

Book a Rapid Assessment Preview a sample Evidence ReportSee pricing

Fixed price, from $5,000 · 2-week sprint

Fixed scope · source & config scan + human review

Run the scan. Get the inventory. Pass 12.3.3.

Generate a CycloneDX 1.6 CBOM from your code, configs, and live TLS — the documented cryptographic inventory 12.3.3 requires — and hand it to your assessor. Already future-proofed for the post-quantum migration.

Book a Rapid Assessment Upload a CBOM →