Software inventory & vulnerability management for PCI DSS
PCI DSS 4.0 Requirement 6 expects an inventory of your software components (6.3.2), identified and risk-ranked vulnerabilities (6.3.1) and timely patching (6.3.3). IsItPatched delivers that from an SBOM — known and actively-exploited component CVEs, risk ranking, the minimum safe version, and QSA-ready evidence.
1046 actively-exploited CVEs across 613 tracked products right now
Built for everyone in card-data scope
Merchants
Anyone storing, processing or transmitting cardholder data. Keep the Requirement 6 software inventory and vulnerability process without new tooling.
Service providers & processors
Higher scrutiny, more software. Show a continuous, risk-based vulnerability-handling process across your components.
QSAs & compliance teams
Hand assessors a clean component inventory, risk-ranked vulnerabilities and a remediation record.
PCI DSS Requirement 6 → what IsItPatched gives you
Software inventory (6.3.2)
Drop in a CycloneDX or SPDX SBOM for a per-component inventory of third-party and open-source software — the inventory 6.3.2 requires.
Scan an SBOM →Identify & risk-rank vulnerabilities (6.3.1)
Each component's CVEs, risk-ranked by actively-exploited (CISA KEV) and high-EPSS status — the prioritisation 6.3.1 expects.
See actively-exploited CVEs →Patch on time (6.3.3)
The minimum safe version and a critical-first queue help you meet the "patch critical vulnerabilities promptly" expectation.
Open your dashboard →End-of-life & QSA evidence
End-of-life tracking flags unsupported components; export a risk register and VEX as your assessment record.
End-of-life calendar →Export your evidence — today, free
- Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
- CycloneDX VEX document (exploitability + remediation per component)
- Software risk register (CSV / print-to-PDF) citing the exact versions you run
- A prioritised, known-exploited-first patch queue — your risk-ranked remediation record
Sign in (free, no password) to sync your component stack and generate these from your dashboard.
Straight with you: PCI DSS has twelve requirements — network segmentation, encryption, access control, logging and much more — most of which a vulnerability tool does not touch. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the software-inventory and vulnerability-identification parts of Requirement 6 specifically. It is not a QSA, not an assessment or attestation of compliance, and not legal advice. Disclaimer.
PCI DSS 4.0 — frequently asked
What is PCI DSS 4.0?
The Payment Card Industry Data Security Standard (v4.0, now 4.0.1) is the security standard every organisation that stores, processes or transmits cardholder data must meet. Its twelve requirements span network security, encryption, access control, logging and more. Requirement 6 — "develop and maintain secure systems and software" — is where software components and vulnerabilities live: 6.3.1 (identify and risk-rank vulnerabilities), 6.3.2 (maintain an inventory of bespoke, custom and third-party software), and 6.3.3 (install security patches on time).
How does IsItPatched help with PCI DSS?
It maps directly onto the Requirement 6 software pieces: scan a CycloneDX/SPDX SBOM to maintain the 6.3.2 inventory of third-party components, identify and risk-rank their vulnerabilities for 6.3.1 (using CISA KEV + EPSS, and flagging the critical/high ones 6.3.3 wants patched fastest), see the minimum safe version, track end-of-life components, and export a risk register / VEX for your QSA.
Does IsItPatched make us PCI DSS compliant?
No. PCI DSS has twelve requirements covering network segmentation, encryption, access control, logging and much more. IsItPatched helps with the software-inventory and vulnerability-identification parts of Requirement 6 specifically. It is informational, built on public data — not a QSA, not an assessment, and not legal advice.
Selling into other regulated markets? See all our compliance editions →