PCI DSS evidence from the software side
PCI DSS 4.x sharpened the software expectations on everyone touching cardholder data: maintain an inventory of bespoke and custom software, develop it securely, find vulnerabilities, and fix them on defined timelines. Assessors verify these controls; they do not take your word.
Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.
Does this replace ASV scans?
No. External ASV scans must come from an approved scanning vendor. SecuNexa covers the internal scanning, secure development, and inventory controls, and gives your internal program real substance between assessments.
Our processors ask about requirement 6.3.2. What is it?
It is the inventory of bespoke and custom software, including third-party components, that became mandatory with 4.x future-dated requirements. Generated SBOMs per application are the practical way to satisfy and maintain it.