PCI DSS 4.0 · REQUIREMENT 6.3.2
Your SBOM lists 10,000 components. Your QSA wants the 37 that load in the CDE.
PCI DSS 4.0 turned Requirement 6.3.2 into a workflow, not a deliverable. Score your evidence against the 19 questions QSAs are actually asking in 2026 — and see whether you're audit-defensible or still running an SBOM-only posture.
Runtime provides truth.
Get the PCI DSS 4.0 readiness checklist
A free one-page checklist — 19 evidence checks across Requirement 6.3.2 and its neighbors. Instant download.
What we validate:
Execution of recent npm, Shai-Hulud and TeamPCP-related code paths.
Credential exposure (tokens, env, CI secrets).
Persistence or follow-on activity.
Runtime reachability and exploitability.
WHAT'S INSIDE
19 evidence checks across Requirement 6.3.2 and its neighbors. Here's what's inside:
The declared inventory (6.3.2) — a per-build SBOM with provenance
The runtime layer — which components actually loaded in the CDE
Reachability, the justified backlog, and remediation on a clock
A 0–19 scoring rubric: audit-defensible, or SBOM-only
Mark only the evidence you can produce on demand today — the way a QSA will ask for it.
Get the PCI DSS 4.0 readiness checklist
Score your PCI DSS 4.0 evidence against the questions QSAs are really asking in 2026.