Global ยท payment card industry

PCI DSS evidence from the software side

PCI DSS 4.x sharpened the software expectations on everyone touching cardholder data: maintain an inventory of bespoke and custom software, develop it securely, find vulnerabilities, and fix them on defined timelines. Assessors verify these controls; they do not take your word.

Who this applies to Merchants, processors, issuers, and service providers with cardholder data environments, and the software teams building what runs in them.
What it asks for
Software inventory (req. 6)
An inventory of bespoke and custom software, including third-party components, maintained to facilitate vulnerability and patch management.
Secure development
Software developed securely, with code review or automated analysis before release and protection against common attack classes.
Vulnerability management (req. 6 and 11)
Identify vulnerabilities via ongoing processes and scanning, rank them, and remediate on schedule.
How SecuNexa and BOMNexa map to it
Component inventory
SBOMs with full dependency graphs per application are the living form of the required inventory.
Pre-release verification
SAST, secrets, and dependency analysis gate releases in CI, with evidence per finding for assessor sampling.
Scanning and ranking
Application and network scanning feed one queue ranked by severity and exploitation evidence, with SLA tracking against your remediation windows.

Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.

Frequently asked questions
Does this replace ASV scans?

No. External ASV scans must come from an approved scanning vendor. SecuNexa covers the internal scanning, secure development, and inventory controls, and gives your internal program real substance between assessments.

Our processors ask about requirement 6.3.2. What is it?

It is the inventory of bespoke and custom software, including third-party components, that became mandatory with 4.x future-dated requirements. Generated SBOMs per application are the practical way to satisfy and maintain it.

Walk through your PCI DSS 4.x evidence gaps with us, live.
Request a demo