WithPCI Logo
WithPCI.com

Requirement 6.3.2: An inventory of bespoke and custom software, and third-party software components is maintained

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

Customized Approach Objective

Known vulnerabilities in third-party software components cannot be exploited in bespoke and custom software.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

6.3.2.a Examine documentation and interview personnel to verify that an inventory of bespoke and custom software and third-party software components incorporated into bespoke and custom software is maintained, and that the inventory is used to identify and address vulnerabilities.

6.3.2.b Examine software documentation, including for bespoke and custom software that integrates third-party software components, and compare it to the inventory to verify that the inventory includes the bespoke and custom software and third-party software components.

Purpose

Identifying and listing all the entity's bespoke and custom software, and any third-party software that is incorporated into the entity's bespoke and custom software enables the entity to manage vulnerabilities and patches.

Vulnerabilities in third-party components (including libraries, APIs, etc.) embedded in an entity's software also renders those applications vulnerable to attacks. Knowing which third-party components are used in the entity's software and monitoring the availability of security patches to address known vulnerabilities is critical to ensuring the security of the software.

Good Practice

An entity's inventory should cover all payment software components and dependencies, including supported execution platforms or environments, third-party libraries, services, and other required functionalities.

There are many different types of solutions that can help with managing software inventories, such as software composition analysis tools, application discovery tools, and mobile device management.

purpose

Review custom code prior to release to production to identify and correct vulnerabilities.

compliance strategies

  • Code review process
  • Automated code scanning

typical policies

  • Code Review Policy

common pitfalls

  • No code review before deployment
  • Missed vulnerabilities

type

Technical Control

difficulty

High

key risks

  • Production release of insecure code

recommendations

  • Automate code scanning and require peer review

Eligible SAQ

  • SAQ-A-EP
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy