CipherM Learn

The cryptographic inventory, explained.

Practical, accurate guides to PCI DSS 4.0.1 Requirement 12.3.3 — the mandate that you keep a documented, annually-reviewed inventory of the cipher suites and protocols you run. Read the guides, then run the free scan to see your own.

Run the free scan Book a Rapid Assessment

Guides

Start here.

Requirement 12.3.3

How to build a PCI cipher suite inventory

What 12.3.3 actually requires, what counts as a cryptographic inventory under PCI DSS, how to build one, and the findings QSAs flag most.

Read

Audit evidence

CBOM as QSA evidence: the cryptographic bill of materials

What a CycloneDX CBOM is and why a machine-readable, diffable bill of materials is the evidence artifact a QSA will actually accept.

Read

Early TLS

TLS 1.0 and PCI in 2025: finding deprecated protocols

Why early TLS is deprecated, how it shows up under 12.3.3, and how to find every endpoint and config still negotiating it.

Read

Go further

From reading to evidence.

Run the free scan

Point CipherM at your code, configs, and live TLS and see your cryptographic inventory in minutes.

PCI DSS 12.3.3 overview

The full breakdown of the requirement and how CipherM turns it into a QSA-ready evidence pack.

Want it done for you?

A fixed-scope, two-week Rapid Assessment: we scan, review by hand, and hand you a CycloneDX CBOM plus a QSA-ready 12.3.3 evidence pack.

Book a Rapid Assessment Run the free scan