Some of the 51 future dated requirements of the new PCI DSS v4.0.1 that become effective on March 31, 2025, are related to inventory management. Let’s start by talking about software. In the digital era, software has become the fundamental engine powering organizational operations, and your organization undoubtedly relies on a variety of software applications to conduct business, many of which are bespoke or custom-built solutions
Software is a double-edged sword, however. While it’s essential for carrying out business processes and transactions, it also contains vulnerabilities that attackers are eager to exploit. To address this risk, PCI DSS v4.0.1 introduces Requirement 6.3.2, which mandates that organizations maintain an inventory of all bespoke custom software.
The Rationale Behind Requirement 6.3.2
While all software can be vulnerable, custom or bespoke software is particularly at risk. “Bespoke” refers to software that is specifically designed and developed to meet the unique needs of an organization or individual, rather than off-the-shelf solutions available to the general public. This customization can create gaps in security, potentially opening doors for attackers. The fact is that custom or bespoke software doesn’t receive the same level of support and security updates as widely used commercial products. It often lacks robust security controls that are typical of mainstream software products.
The unique nature of custom software often makes it more susceptible to security vulnerabilities, creating potential entry points for attackers seeking to access sensitive data within your network. Recognizing this risk, the inventory requirement helps ensure that all your bespoke and custom-developed software undergoes regular vulnerability assessments and receives timely updates, including necessary patches and security enhancements.
Building Your Software Component Catalog
The new software inventory requirement mandates that organizations maintain a detailed catalog of all software utilized in their products or services, encompassing both in-house developed applications and integrated third-party components. Here are the steps you need to take to make sure you are compliant with 6.3.2:
- Catalog all software components: Create a comprehensive list of all software components used in your organization’s products or services, including both commercial off-the-shelf (COTS) software and custom software developed internally.
- Determine the source of each component: Identify the origin of each software component, whether it’s sourced from a commercial vendor, the open-source community, or developed in-house. Understanding the source helps assess potential risks, such as vulnerabilities or licensing concerns.
- Identify dependencies: Map out any dependencies between software components, such as libraries, frameworks, or APIs.
- Evaluate and prioritize risks: Assess each software component for potential risks, such as known vulnerabilities, licensing problems, or compatibility issues. Prioritize these risks based on their potential impact on business operations or customer data in the event of a security breach. This allows you to address critical issues first and allocate resources efficiently.
- Keep the inventory current: Regularly review and update the inventory by adding new components, assessing newly introduced software, and removing outdated or unused components. This ensures the inventory remains accurate and relevant.
In addition to helping you identify and track vulnerabilities specific to custom software components, this software inventory requirement will also enable you to prioritize and apply patches, monitor end-of-life statuses, and streamline future audit assessments. Custom software is just one aspect of the inventory requirements as you will also be responsible for tracking cryptographic cipher suites and digital certificates. If you’re unsure whether you’re prepared for the upcoming PCI DSS mandates, which take effect at the end of March, HALOCK Security Labs can assist in assessing your responsibilities and guiding you through the necessary steps to achieve compliance.
HELPFUL REFERENCES:
