WithPCI Logo
WithPCI.com

12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

  • Analysis that the technologies continue to receive security fixes from vendors promptly.
  • Analysis that the technologies continue to support (and do not preclude) the entity's PCI DSS compliance.
  • Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced "end of life" plans for a technology.
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced "end of life" plans.

Customized Approach Objective

The entity's hardware and software technologies are up to date and supported by the vendor. Plans to remove or replace all unsupported system components are reviewed periodically.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

12.3.4 Examine documentation for the review of hardware and software technologies in use and interview personnel to verify that the review is in accordance with all elements specified in this requirement.

Purpose

Hardware and software technologies are constantly evolving, and organizations need to be aware of changes to the technologies they use, as well as the evolving threats to those technologies to ensure that they can prepare for, and manage, vulnerabilities in hardware and software that will not be remediated by the vendor or developer.

Good Practice

Organizations should review firmware versions to ensure they remain current and supported by the vendors. Organizations also need to be aware of changes made by technology vendors to their products or processes to understand how such changes may impact the organization's use of the technology.

Regular reviews of technologies that impact or influence PCI DSS controls can assist with purchasing, usage, and deployment strategies, and ensure controls that rely on those technologies remain effective. These reviews include, but are not limited to, reviewing technologies that are no longer supported by the vendor and/or no longer meet the security needs of the organization.

Further Information

purpose

Assign responsibility for enforcing critical technology usage policies.

compliance strategies

  • Role assignment
  • Policy enforcement logs

typical policies

  • Technology Policy Enforcement Matrix

common pitfalls

  • Unclear enforcement responsibility

type

Governance

difficulty

Low

key risks

  • Policy violations not addressed

recommendations

  • Integrate with IT operations management

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy