PCI DSS 12.3.3: Review Cryptographic Cipher Suites Annually
PCI DSS 12.3.3 requires organizations to document all cryptographic cipher suites and protocols in use and review them at least once every 12 months. This control ensures outdated or weak cryptographic methods don't compromise cardholder data security. Staying current with cipher suite reviews is critical for preventing exploitation of known cryptographic vulnerabilities.
What this means
Your organization must maintain a complete inventory of every cryptographic cipher suite and protocol deployed across systems that handle payment card data. This includes SSL/TLS versions, encryption algorithms, and key exchange mechanisms. At minimum, you need to conduct a formal review at least annually to identify deprecated or weak ciphers, verify compliance with current security standards, and document any exceptions or remediation plans.
How to comply
- 1.Create and maintain a comprehensive inventory of all cryptographic cipher suites and protocols in use across your environment
- 2.Document the business justification, deployment date, and cryptographic strength classification for each cipher suite
- 3.Schedule an annual review cycle and assign ownership to your security or compliance team
- 4.During each review, assess cipher suites against current NIST guidelines and industry best practices
- 5.Identify and prioritize weak or deprecated ciphers (such as DES, RC4, or older TLS versions) for decommissioning
- 6.Create a remediation timeline for replacing non-compliant cipher suites with stronger alternatives
- 7.Document review findings, decisions, and any approved exceptions with business justification
- 8.Update your documentation within 30 days of any changes to cryptographic configurations
- 9.Maintain evidence of all annual reviews for audit purposes
Evidence auditors look for
- Cryptographic inventory spreadsheet listing all cipher suites, protocols, systems, and deployment dates
- Annual cipher suite review reports signed by management with findings and remediation actions
- Network scanning or SSL/TLS analysis reports showing which ciphers are active in production
- Email notifications or meeting minutes confirming the annual review was completed on schedule
- Exceptions log documenting approved weak ciphers with business justification and expiration dates
- Remediation tickets or change logs showing retirement of deprecated cipher suites
- Configuration management system records showing cryptographic settings across infrastructure
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and inventories all active cryptographic cipher suites across your infrastructure, tracks annual review deadlines, and flags deprecated or weak ciphers in real-time so you never miss a compliance requirement.
See how GRCWatch handles this control automatically
Start free trial