QSA Partner Program

The 12.3.3 evidence engine your assessment practice bundles in.

PCI DSS 12.3.3 asks every in-scope organization to maintain a documented, annually-reviewed inventory of the cipher suites and protocols in use. CipherM produces that inventory fast. You own the client relationship and the assessment; we are the tool underneath it.

Become a launch partnerTalk to us about co-delivery

The opportunity

12.3.3 is mandatory. Every PCI client needs the inventory.

The cryptographic-inventory requirement moved from best practice to a full requirement on 31 March 2025. That means every PCI DSS assessment you run now has to account for a documented, maintained inventory of cipher suites and protocols — reviewed at least annually.

For most clients that inventory is assembled by hand the week before fieldwork. That is slow, inconsistent, and hard to refresh year over year. CipherM exists to make that one piece repeatable — so your firm can offer it as a clean, recurring deliverable instead of a scramble.

In force

Since 31 Mar 2025

Applies to

Every in-scope client

Cadence

Reviewed annually

Framing paraphrased from PCI DSS v4.0.1 requirement 12.3.3. Confirm scope against the current standard for each engagement.

How it works

Three ways to bundle CipherM into your practice.

Pick the model that fits how your firm delivers. In every case you keep the buyer relationship and the attestation authority — CipherM is the evidence engine, never the assessor.

Referral

Refer the inventory work

Hand CipherM the cipher-suite and protocol inventory portion of a 12.3.3 engagement. You keep the assessment relationship; we run the evidence collection and hand back a structured report. Referral fee paid per engagement.

Co-delivery

Co-deliver the assessment

Your assessors review and attest; CipherM does the heavy scanning, normalization, and inventory assembly underneath you. Faster fieldwork, fewer manual spreadsheet hours, consistent output across every client.

White-label

White-label evidence pack

Deliver the cryptographic inventory under your firm's name. CipherM generates the documented, annually-reviewable inventory of cipher suites and protocols; you present it as part of your branded deliverable.

What you get

More margin per engagement, less manual evidence work.

Hours back per engagement

12.3.3 inventory work is repetitive and manual when done by hand. CipherM compresses the cipher-suite/protocol discovery and documentation so your assessors spend time on judgment, not data entry.

Consistent, repeatable output

Every client gets the same structured inventory format — easier to review, easier to defend, easier to refresh on the annual cadence the requirement calls for.

A new line item to sell

12.3.3 is now in force for every PCI client you serve. Position the documented inventory as a recurring, annually-reviewed deliverable rather than a one-time scramble.

No tooling to build or maintain

Skip building inventory tooling in-house. CipherM is the engine; your firm keeps the buyer relationship and the attestation authority.

Launch partner roster

Slot open — your firm here
Slot open — your firm here
Slot open — your firm here
Slot open — your firm here

The launch partner program is open. We do not display partner firms until they have signed on and approved being listed.

Become a launch partner

Help shape the QSA partner program.

We are signing a small group of assessment firms as launch partners. Founding partners help shape referral terms, co-delivery workflow, and the white-label evidence pack — and get first access when it ships. Drop your work email and we will reach out.

Prefer a conversation first? Book a partner intro call.