PCI DSS 6.3.2: Maintain Bespoke Software Inventory
Custom and bespoke software poses unique security risks that standard tools often miss. PCI DSS 6.3.2 requires you to maintain a comprehensive inventory of all custom-developed applications to enable effective vulnerability and patch management. Without visibility into your bespoke software landscape, you cannot adequately protect cardholder data or demonstrate compliance to auditors.
What this means
This control requires organizations to document and track all custom and proprietary software deployed in their environment. Unlike off-the-shelf applications, bespoke software often lacks vendor security patches and requires internal vulnerability assessment processes. Maintaining an accurate inventory ensures your organization can identify which custom applications need security updates, who developed them, their current versions, and where they're deployed across your systems.
How to comply
- 1.Identify and document all custom software developed internally or by third parties
- 2.Record software name, version, location, business purpose, and development owner for each application
- 3.Integrate custom software inventory with your vulnerability management program
- 4.Establish a process to track security patches and updates specific to bespoke applications
- 5.Review and update the inventory at least annually or when new custom software is deployed
- 6.Link inventory records to patch management and vulnerability assessment activities
- 7.Maintain evidence of inventory reviews and any changes to custom software applications
Evidence auditors look for
- Documented custom software inventory spreadsheet or database with version and location information
- Vulnerability scan reports showing custom applications included in scanning scope
- Patch management logs demonstrating updates applied to bespoke software
- Custom software development documentation including security assessment records
- Inventory review meeting minutes or audit reports confirming regular maintenance
- Change management records showing when custom software was added, updated, or removed
- Integration documentation between inventory system and vulnerability management tools
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates custom software inventory tracking and links it directly to your vulnerability management workflows, eliminating manual spreadsheet updates and ensuring your bespoke applications never fall outside patch management scope.
See how GRCWatch handles this control automatically
Start free trial