Annual Review
PCI DSS 12.3.3 expects a documented inventory of the cipher suites and protocols in use — and it expects you to re-confirm that inventory at least once every 12 months (the requirement has been in force since 31 March 2025). A scan you ran last year is stale the moment a dependency bumps or a config changes. CipherM turns that yearly obligation into a scheduled, evidence-backed cadence.
The recurring workflow
Re-run the same source + config + endpoint inventory on a set interval, so the 12-month re-confirmation happens on time instead of as a fire drill the week before assessment.
Compare this cycle's inventory against the last. Surface what was added, removed, upgraded or downgraded — so the review is a change story, not a re-keyed spreadsheet.
Each cycle is timestamped and retained: what was scanned, what was found, what changed since last time. That history is the evidence the annual review asks you to keep.
Get notified ahead of your next QSA window so the inventory is re-confirmed and documented before the auditor asks — not after.
The 12-month loop
01
Establish the documented inventory across source, config and live TLS.
02
Continuous monitoring catches drift between cycles as code and configs change.
03
At the 12-month mark, re-scan and diff against the baseline to re-confirm the inventory.
04
Hand the QSA a dated audit trail showing the inventory was reviewed on schedule.
12.3.3 sets a minimum of every 12 months. Continuous monitoring between cycles is part of the paid CipherM offering, not the free single scan — it is how you avoid discovering a year's worth of drift all at once at review time.
Reminder
Drop your email and we'll nudge you ahead of your next annual cipher-inventory window, with a link to re-run the scan. No spam — just the reminder and the re-scan.
Recurring scans, year-over-year diffs and a retained audit trail are part of the CipherM B2B plans. See how the cadence is priced.