PCI-DSS Requirement 12.3.4
Annual review of hardware and software at vendor end-of-support. Required since 2025-03-31.
PCI-DSS standard text is paywalled at the PCI SSC document library: downloading the standard itself requires accepting the council's license agreement. The publicly-available primary document that describes Requirement 12.3.4 is the Summary of Changes from PCI DSS Version 3.2.1 to 4.0 (May 2022). Quotes below are from that document. Where this page draws on a QSA-firm secondary, it is labeled supporting context, not primary.
Requirement 12.3.4 is part of PCI-DSS v4.0 (and carried into v4.0.1). It applies to every entity in scope for PCI-DSS: merchants, service providers, and any organization that stores, processes, or transmits cardholder data, or whose systems can affect the security of the cardholder data environment. The clause sits inside Requirement 12 ("Support information security with organizational policies and programs") and mandates a documented annual review of hardware and software technologies in use, with end-of-life status as a named consideration.
The clause was a future-dated requirement. Per the PCI SSC Summary of Changes: "This requirement is a best practice until 31 March 2025." That transition has now passed. Since , 12.3.4 is a fully assessed requirement on every PCI-DSS v4.x assessment.
The 12.3.4 text
The PCI SSC Summary of Changes describes 12.3.4 in two places. The first is the change-description table (the most substantive public quote we can attribute to a primary PCI document):
"12.3.4 New requirement to review hardware and software technologies in use at least once every 12 months.
This requirement is a best practice until 31 March 2025."
PCI Security Standards Council, Summary of Changes from PCI DSS Version 3.2.1 to 4.0, May 2022, page 22, change description for 12.3.4. PCI SSC PDF.
The second is the future-dated-requirements summary table, which restates the requirement title and lists the 31 March 2025 effective date:
"12.3.4 Hardware and software technologies are reviewed."
Applicable to: All Entities. Effective Date: 31 March 2025.
PCI Security Standards Council, Summary of Changes from PCI DSS Version 3.2.1 to 4.0, May 2022, page 31, future-dated requirements table. PCI SSC PDF.
The full clause text in the PCI-DSS standard itself, which spells out the assessor-evidence sub-bullets (current technology support status, named end-of-life plan, etc.), is not redistributable from the paywalled standard. We do not reproduce it here. For the verbatim sub-bullet structure, your QSA has the standard.
What 12.3.4 requires
- Annual frequency. "Review hardware and software technologies in use at least once every 12 months," per the PCI SSC Summary of Changes (page 22).
- End-of-life is the named trigger. A QSA-firm secondary states: "All hardware and software technologies in use must be formally reviewed annually to ensure the technologies are effective and not 'end of life'" (GuidePoint Security, supporting context, not primary). The standard-text sub-bullets that enumerate "current technology support status" and the documented end-of-life plan live in the paywalled standard.
- Documented plan for outdated technologies. Per the same QSA-firm secondary: "documenting end-of-life plans and have a documented plan approved by senior management to remediate insecure and outdated technologies" (GuidePoint Security, supporting context).
- Required since 2025-03-31. The PCI SSC Summary of Changes (page 31) places 12.3.4 in the "Effective Date: 31 March 2025" row of the future-dated requirements table. v4.0 assessments completed before that date treated 12.3.4 as best practice; assessments after must treat it as fully in scope.
- Carried into v4.0.1. PCI-DSS v4.0.1 is a limited revision of v4.0 (per the PCI SSC blog announcing v4.0.1) and the Summary of Changes from v4.0 to v4.0.1 introduces no new or deleted requirements, so 12.3.4 carries forward unchanged.
Devices in our catalog from PCI-scope networking vendors
12.3.4 is vendor-neutral: it applies to whatever hardware and software is in your cardholder data environment. The catalog subset below is filtered to networking vendors most commonly named in PCI-scope perimeter, segmentation, and load-balancing footprints (Cisco, Juniper, Palo Alto Networks, Fortinet, F5), and to products currently at end-of-life. The 12.3.4 review obligation is what makes this list relevant: each of these is a device that, if in scope, must be on the annual-review docket and named in your remediation plan. Verify against the vendor's own bulletin and your QSA's scoping before acting.
Showing up to 30 newest entries per vendor. See full inventories: Cisco, Juniper, Paloalto, Fortinet, F5. Fortinet is not yet in the catalog; entries will populate as collectors land.
What this means operationally
12.3.4 creates the inventory-and-review obligation; 6.3.3 creates the patch-deployment SLA. Both fail on EoL hardware, but for different reasons and in different audit findings. For the QSA evidence-collection workflow, named compensating controls (network isolation, enhanced monitoring, third-party support, risk-acceptance sign-off), and the cross-framework view that includes HIPAA 164.308 and NIST SP 800-53 SA-22, see compliance and insurance impact. For per-vendor lifecycle policy detail with citations, see the lifecycle policy hubs: Cisco, Juniper, Palo Alto. Use the 12-month and 24-month calendar feeds to populate the annual review with concrete dates for the network gear in scope.
Sources
- PCI Security Standards Council Document Library (primary; standard text behind license-agreement gate)
- PCI SSC: Summary of Changes from PCI DSS Version 3.2.1 to 4.0 (May 2022, PDF) (primary; the publicly-available source for the verbatim 12.3.4 quotes above)
- PCI SSC blog: Just Published: PCI DSS v4.0.1 (primary; confirms v4.0.1 is a limited revision with no new or deleted requirements)
- GuidePoint Security: PCI DSS 4.0 Major Future-Dated Requirements (supporting context, not primary; QSA-firm interpretation of the 12.3.4 evidence sub-bullets)
Last reviewed .