PCI DSS 12.3.4: Review Hardware and Software Technologies Annually
PCI DSS 12.3.4 mandates that organizations review all hardware and software technologies at least once every 12 months to ensure vendors continue providing security support. Unsupported systems create vulnerabilities that compromise your payment card environment. This control is essential for maintaining an inventory of systems and identifying end-of-life risks before they become compliance failures.
What this means
This control requires you to systematically audit every hardware device and software application in your cardholder data environment (CDE) and supporting systems at least annually. The review must confirm that each component is still receiving active vendor security updates and patches. Any technology that no longer has vendor support must be documented as a risk and either removed, isolated, or replaced with a supported alternative.
How to comply
- 1.Create a comprehensive inventory of all hardware devices and software applications in your environment, including OS versions, applications, and firmware versions
- 2.Document the vendor support status for each item, including end-of-life dates and patch availability timelines
- 3.Schedule an annual review meeting with IT leadership and document the review date, participants, and findings
- 4.Identify any unsupported technologies and create a remediation plan with timelines for replacement or removal
- 5.Ensure review results are approved by management and retained as evidence of compliance
- 6.Update your inventory quarterly and conduct the full annual review at minimum
Evidence auditors look for
- Hardware and software inventory spreadsheet with vendor support status columns
- Vendor lifecycle documentation or end-of-support dates for operating systems and applications
- Annual technology review meeting minutes signed by IT and security leadership
- Remediation plans for unsupported technologies with replacement timelines
- Change logs showing removal or updates of unsupported systems
- Dated review certifications or sign-offs from authorized personnel
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically catalogs your hardware and software inventory, monitors vendor end-of-life announcements, and alerts you when technologies approach unsupported status—eliminating manual tracking and ensuring your annual 12.3.4 review stays current.
See how GRCWatch handles this control automatically
Start free trial