Re: PCI DSS 12.3.3

Gerardojr83 · ‎11-05-2024

I'm having trouble finding a good solution that would be needed for one of the new PCI 4.0 controls:

12.3.3 Cryptographic cipher suites and protocols in use
are documented and reviewed.

What is a good tool to scan for cryptographic ciphers and protocols within an environment? I believe NMAP (Zenmap for Windows) could work but the test scans I've performed do not give accurate results as I can see vulnerability scanning tools pick up other ciphers and protocols that NMAP does not. '

Any help or advice is much appreciated.

Caute_cautim · ‎11-05-2024

@Gerardojr83 Given there is a multitude of tools for Quantum Safe, here are some suggestions:

https://www.ibm.com/quantum/blog/crypto-agility

https://owasp.org/blog/2023/10/03/CycloneDX-Cryptography-CBOM

https://owasp.org/www-project-cyclonedx/

There are many others available.

These generally allow you to create a Cryptographic Bill of Materials or CBOM.

Other tools such as Kali, Nessus etc, but obvious get permission before you use such tools on organisations networks etc.

Regards

Caute_Cautim

kafleenqalmar24

A PCI Qualified Security Assessor (QSA) plays a critical role in helping organizations achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). QSAs are independent security companies that have been qualified by the PCI Security Standards Council to assess a merchant's adherence to PCI DSS requirements. Their participation involves conducting thorough audits of an organization’s cardholder data environment, identifying vulnerabilities like css essay, and providing guidance on remediating non-compliance issues.