KORTHEXkorthex.flowence.cc

Compliance / PCI DSS 4.0

PCI-DSS Cryptography Scanner

Korthex scans code, configuration, TLS and databases for cryptography that violates PCI DSS 4.0, and generates the documented inventory of cipher suites and protocols that requirement 12.3.3 demands, as a CBOM with file and line evidence. 100% on-premise, so cardholder-data environments never expose source code.

Where PCI DSS demands strong cryptography

  • Requirement 3.5.1: PAN rendered unreadable anywhere it is stored, using strong cryptography
  • Requirements 3.6 and 3.7: documented key-management processes for the keys that protect cardholder data
  • Requirement 4.2.1: strong cryptography for PAN transmitted over open, public networks
  • Requirement 8.3.2: passwords and credentials protected with strong cryptography
  • Requirement 12.3.3: an inventory of all cipher suites and protocols in use, documented and reviewed at least every 12 months
  • Since March 31, 2025 the future-dated PCI DSS 4.0 requirements are mandatory, not best practice

What Korthex finds in a cardholder-data environment

  • Weak hashes protecting stored data: MD5, SHA-1, unsalted or fast hashes where strong cryptography is required
  • Legacy ciphers in code and dependencies: DES, 3DES, RC4, Blowfish, AES-ECB misuse
  • TLS configurations accepting weak protocol versions or cipher suites on data-in-transit paths
  • Hardcoded keys, credentials and API tokens in source, configuration and git history
  • Database and storage-layer encryption state
  • Key provenance: taint classification shows where every key originates

Requirement 12.3.3: the inventory, automated

The CBOM is the documented cipher-suite and protocol inventory that 12.3.3 asks for: every cryptographic primitive and protocol in use, with file and line evidence. Because it regenerates on every scan or commit, the review requirement turns from an annual scramble into a byproduct of CI. Export as PDF for your QSA or as CycloneDX and JSON for tooling.

Honest scope

Korthex covers the cryptography slice of PCI DSS: parts of requirements 3, 4 and 8, and the 12.3.3 inventory. It does not do network segmentation testing, ASV scanning or the full SAQ / RoC process. It pairs with, and feeds evidence into, your assessor workflow.

Frequently asked questions

Is a cryptographic inventory mandatory under PCI DSS?

Yes. PCI DSS 4.0 requirement 12.3.3 requires an inventory of all cipher suites and protocols in use, documented and reviewed at least once every 12 months. Since March 31, 2025 this is mandatory. The Korthex CBOM is that inventory, generated from what your systems actually run.

Does Korthex find TLS below 1.2 on cardholder-data flows?

Yes. TLS configurations and cipher suites are scanned for weak protocol versions, weak suites and weak certificate signatures, and mapped to requirement 4.2.1.

Can I hand the report to a QSA?

Yes. The CBOM exports as PDF for assessors and as CycloneDX, SARIF or JSON for tooling, with file:line evidence, severity and a taint verdict per finding.

Does source code leave the CDE?

No. Korthex runs 100% on-premise as a CLI or inside CI/CD, including air-gapped operation. Only anonymized metadata is transmitted for the dashboard report.

Which PCI DSS requirements does Korthex cover?

The cryptographic requirements: strong cryptography for stored PAN (3.5.1), key management context (3.6, 3.7), data in transit (4.2.1), credential protection (8.3.2), and the cipher-suite inventory (12.3.3). Segmentation, ASV scans and the assessment process itself remain with your QSA.