Requirement 12.3.3 of PCI DSS 4.0.1 is no longer a future best practice — it has been mandatory since March 2025. CipherM produces the documented inventory your QSA asks for, generated from your real code, configs, and live TLS.
Maintain an up-to-date inventory of every cryptographic cipher suite and protocol in use across your cardholder-data environment.
Re-confirm the inventory at least once a year, and whenever your environment changes — actively monitoring for anything weak or deprecated.
Keep a documented strategy to respond to anticipated changes in cryptographic viability, so deprecations don't catch you mid-assessment.
Paraphrased from PCI DSS v4.0.1, Requirement 12.3.3. The usual stand-in — a spreadsheet rebuilt by hand before each assessment — is exactly what auditors increasingly reject as stale.
Source code, configuration files (java.security, OpenSSL, TLS configs), and your live endpoints. Network-only scanners miss your code; source-only tools miss your runtime TLS. CipherM covers both.
The industry-standard cryptographic bill of materials — machine-readable, diffable, and interoperable. The documented inventory 12.3.3 asks for, in a format that outlives any one vendor.
Every cipher suite and protocol is tagged with its requirement reference and a deprecation note, packaged as a QSA-citable evidence report — the artifact your assessor signs off.
Re-run on a schedule, keep an audit trail, and compare year over year — so the 12-month review is a button, not a fire drill.
The same scan flags every RSA/ECDSA asset for the eventual post-quantum migration — so one inventory answers today's mandate and tomorrow's.
A fixed-scope, two-week Rapid Assessment: we scan your code, configs, and TLS, review by hand, and hand you a CycloneDX CBOM plus a QSA-ready 12.3.3 evidence pack. No six-month enterprise sales cycle.