PCI DSS 4.0.1 requirement 12.3.4 requires that all software and hardware is supported by the vendor. That sounds easy. Right? It’s not. It is often a hurdle during PCI assessments. All software and hardware means all software and hardware. This might mean the firewall, the Linux server in the back of the data center that never gets used, the phone system, the HSM (hardware security module), etc.
If assets are no longer supported by the vendor and are not receiving security updates, the asset might become an easy entry point into your environment. Newly discovered vulnerabilities aren’t patched and can therefore be used for malicious exploits.
To comply with this requirement, accurate inventories will need to be maintained. These inventories must include all hardware (servers, network devices, point-of-sale terminals) and software (operating systems, databases, and applications). The inventory should include an end-of-life (EOL) field so that tracking end of life is easier. Once a year, each asset should be researched to confirm it is still supported. To find when an asset will no longer be supported, refer to the vendor’s website. Using an artificial intelligence site is always helpful with a prompt of “Is [specific software/hardware] still supported? When an asset is nearing end of life, create plans to remove or replace the asset before it is no longer support. It is possible to be PCI compliant with non-supported systems, but a compensating control will be needed.
Finding this helpful? Join our newsletter.
Complying with Requirement 12.3.4 may present challenges, particularly for organizations with complex or legacy environments. Older systems, common in retail or hospitality, may be unsupported but critical to operations, requiring costly upgrades or custom solutions that are impractical. Small businesses may lack the budget or expertise to conduct thorough reviews or replace EOL systems. Software or hardware (or even appliances) managed by third-party service providers (TPSPs) may complicate support verification, necessitating clear contractual agreements.
To address these issues, organizations should adopt a phased approach, prioritize high-risk systems, and determining where a compensating control can be used.
Requirement 12.3.4 underscores the critical need to maintain supported hardware and software within the CDE. By conducting annual reviews, verifying vendor support, and proactively managing EOL systems, organizations can mitigate risks, achieve compliance, and protect cardholder data. Investing in supported technologies today safeguards your business’s security, reputation, and growth in the digital payment era.
While this effort may seem challenging, early preparation will make compliance smoother. Don’t wait—contact Auditwerx at [email protected] or visit www.auditwerx.com for expert guidance to simplify your PCI DSS compliance journey.
