PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. This article is part of a series of articles under the “What’s New in PCI-DSS v4.0” series where we explore what has changed in PCI-DSS moving to version 4, with version 3.2.1. to be retired as of 31 March 2024. Read the other articles here:
A new clause (6.3.2.) has been added under Requirement 6: Develop and Maintain Secure Systems and Software:
6.3.2. An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.
This means that the organisation must maintain a comprehensive inventory of all software used in their products or services, including third-party components and libraries. Information about their origin, dependencies, and potential risks can also be included. This is done so that exposure to vulnerabilities and patch updates can be performed swiftly, and reduce the chance and impact of these vulnerabilities being exploited.
Here are some steps that can be taken to create a supply chain inventory of software:
- Identify all software components – Make a list of all software components that are used in your organization’s products or services, including both commercial off-the-shelf (COTS) software and custom software developed in-house.
- Determine the origin of each component – Determine where each software component was obtained, such as from a commercial vendor, open-source community, or in-house development team. This can help identify potential risks associated with each component, such as vulnerabilities or licensing issues.
- Identify dependencies – Identify all the dependencies between software components, such as libraries, frameworks, or APIs. This can help ensure that all components are compatible and up-to-date.
- Assess and prioritise risks – Evaluate each software component for potential risks, such as known vulnerabilities, licensing issues, or compatibility problems. This can help identify areas where additional security measures may be needed. Software components can be prioritised based on their level of risk, such as the potential impact on business operations or customer data in case of a security incident. This is so that any follow-up actions required can be prioritised.
- Regularly update the inventory – Keep the inventory up-to-date by regularly reviewing and updating the list of software components, assessing new components as they are introduced, and removing outdated or no longer used components.
Creating a supply chain inventory of software can help organisations better understand and manage the risks associated with their software supply chain. This can enable more effective risk management, better decision-making, and improved security posture.
WebOrion will be adding capabilities to check for these new requirements in PCI-DSS version 4. If this is something you are interested in, please contact us at firstname.lastname@example.org