Cryptographic Discovery & Post-Quantum Readiness

Cryptographic Visibility, CBOM, and Crypto-Agility Across the Enterprise Estate

Most organisations cannot produce a reliable inventory of the cryptography they run. AKATI Sekurity delivers cryptographic discovery engagements that establish what is actually deployed across the estate, identify quantum-vulnerable algorithms, and produce a machine-readable Cryptographic Bill of Materials in the CycloneDX format. The inventory evidences the obligations an organisation already carries and establishes the crypto-agility to change algorithms without rebuilding infrastructure. The service applies across every sector and every regulatory regime, and to organisations subject to none.

PCI SSC Qualified Security Assessor
CREST Accredited
ISO 27001 / 27017 / 27018

Applicable Across Every Sector and Every Regime

The obligation is not confined to payments, to financial services, or to any one jurisdiction. It appears in payment security standards, in certification schemes, in technology risk regimes, and in government procurement requirements, and it appears in substance for organisations answering to no regulator whatsoever. Different obligations carry different deadlines, and all of them resolve to a single question that does not change as it crosses an industry or a border: do you know what cryptography you are running, and can you change it?

Payments

PCI DSS v4.0.1

Requirement 12.3.3 obliges an annually reviewed cryptographic inventory, active monitoring of continued viability, and a documented response plan. Mandatory since 31 March 2025.

Certification

ISO/IEC 27001:2022

Annex A requires rules for the effective use of cryptography including key management, alongside an inventory of information and associated assets. An ISMS cannot evidence either control without knowing what cryptography exists.

Technology Risk

MAS TRM and BNM RMiT

Technology risk regimes governing regulated financial institutions already require cryptographic and key management discipline that an inventory serves directly, and equivalent regimes apply to regulated entities in most major markets.

Government Supply

CNSA 2.0, NSM-10 and OMB M-23-02

Government cryptographic mandates set the most concrete post-quantum migration deadlines currently published anywhere, and they cascade through supplier and vendor expectations well beyond government itself.

Operational Resilience

Financial Resilience Regulation

Operational resilience regulation obliges firms to manage technology risk in terms that cryptographic agility sits squarely inside, whether or not the regulation uses that vocabulary.

No Obligation

Confidentiality Lifetime

Where no obligation applies, exposure is determined by the confidentiality lifetime of the data rather than by a compliance deadline. Source code, intellectual property, patient records, legal files and commercial secrets commonly require protection for years or decades.

Cryptographic Inventory Is No Longer Optional

The obligation to inventory and govern cryptography is already in force across the standards most organisations are assessed against today. Regulators, standards bodies and certification schemes have converged on a consistent expectation: know what cryptography you run, monitor whether it remains viable, and maintain a documented plan for changing it. PCI DSS states the expectation most explicitly and attaches a date to it. The standards clock is running in parallel, since NIST published the first post-quantum standards, FIPS 203, FIPS 204 and FIPS 205, on 13 August 2024, and its draft transition roadmap proposes deprecating widely deployed classical asymmetric algorithms after 2030 and disallowing them after 2035.

12.3.3
Mandatory Since March 2025

PCI DSS Requirement 12.3.3, Mandatory Since 31 March 2025

PCI DSS Requirement 12.3.3 obliges organisations to document and review the cryptographic cipher suites and protocols they have in use at least once every 12 months. It calls for an up-to-date inventory recording the purpose of each one and where it is used, for active monitoring of industry trends regarding their continued viability, and for a documented plan to respond to anticipated changes in cryptographic vulnerabilities.

It remained a best practice until 31 March 2025, after which it became a full requirement that must be fully considered during an assessment. It applies to all cryptography used to meet PCI DSS requirements, including the cryptography that renders PAN unreadable in storage and in transmission, that protects passwords, and that authenticates access. Most organisations have satisfied it on paper. Considerably fewer could satisfy it under examination.

This matters even if you have never processed a payment card, because it establishes the direction of travel. An established standards body, having looked at the problem, concluded that a cryptographic inventory is not optional and set a date. The same expectation already appears, in less prescriptive language, across the regimes and certification schemes set out below.

References to PCI DSS describe Requirement 12.3.3 of the Payment Card Industry Data Security Standard v4.0.1. PCI DSS is a standard of the PCI Security Standards Council, LLC. AKATI Sekurity is a PCI SSC Qualified Security Assessor and Approved Scanning Vendor. The interpretation of how Requirement 12.3.3 relates to post-quantum cryptography set out on this page is AKATI Sekurity's own, and it does not represent a position of the PCI Security Standards Council.

What Discovery Reveals in a Typical Estate

Cryptography cannot be documented if its presence is unknown. In most estates a significant proportion of cryptographic assets sit outside any inventory, with no accountable owner and no review history. The following findings recur across sectors and across environments of any age.

Unowned Key Material

Key material embedded in application code and configuration, typically introduced by teams or contractors no longer with the organisation. Excluded from rotation schedules and absent from key management records.

Unmanaged Certificates

Certificates issued outside current governance and renewing automatically without an accountable owner. Expiry is identified at the point of failure rather than in advance.

Third-Party Cryptography

Cryptographic operations performed inside vendor appliances and third-party products, where the implementation is neither visible nor modifiable and contractual terms do not require disclosure.

Inherited Library Defaults

Algorithms running in production by default rather than by decision, inherited from library configuration at the point of import and never reviewed against current cryptographic guidance.

A Machine-Readable Cryptographic Bill of Materials

A Cryptographic Bill of Materials applies the logic of a software bill of materials to cryptography, and it is built against an established open standard rather than a proprietary format. CycloneDX, the OWASP bill-of-materials standard, introduced native CBOM support in version 1.6 and is published as ECMA-424, which means the inventory slots into the tooling and pipelines that already handle your SBOMs. The defining characteristic is that a CBOM is discovered rather than surveyed: it is produced by scanning source code, binaries, configuration, certificate and key stores, and network traffic, rather than by circulating a questionnaire, because questionnaires return only the cryptography people already remember. Each engagement delivers the following.

  • Every algorithm, key, certificate, protocol and library in the assessed scope, recorded in the CycloneDX CBOM format (ECMA-424) rather than in a document that is stale on the day it is signed.
  • The purpose of each cryptographic asset and the systems on which it runs, which is the element of Requirement 12.3.3 that organisations most often cannot evidence.
  • Dependency mapping showing what relies on each asset, so that the cost and sequence of any future change can be assessed before it is committed to.
  • Expiry and lifecycle data, surfacing the certificates and keys that will fail in the coming months regardless of what happens with quantum computing.
  • Identification of quantum-vulnerable cryptography across the estate, covering the asymmetric algorithms a cryptographically relevant quantum computer would defeat, including RSA, ECDSA, ECDH and Diffie-Hellman.
  • An exposure assessment identifying the assets whose confidentiality lifetime exceeds any realistic migration timeline, which is the analysis that determines sequencing.
  • A documented response plan addressing anticipated changes in cryptographic vulnerabilities, which satisfies the third element of PCI DSS Requirement 12.3.3 and evidences the equivalent expectation under ISO 27001 and the technology risk regimes.

A Structured, Discovery-Led Methodology

Engagements begin with a bounded scope and a discovery pass rather than with a strategy, on the principle that a roadmap written in the absence of an inventory documents assumptions rather than the estate. Scope extends outward once the initial findings establish where exposure actually sits. Every engagement follows the same six phases.

01

Scoping

We begin with a boundary that already exists, and the cardholder data environment is the natural candidate on the straightforward grounds that the obligation is already there and somebody has already drawn the line around it. Scope can extend outward once the value is demonstrated rather than argued.

02

Discovery

Discovery runs across source code, binaries, configuration, certificate and key stores, and network traffic, establishing what is genuinely running rather than what was reported. It surfaces the cryptography nobody would have declared for the simple reason that nobody knew it was there. This phase consistently takes longer than organisations expect, and that is itself a finding.

03

Assessment

We assess what has been found against the requirement, against current cryptographic guidance, and against the confidentiality lifetime of the data each asset protects. The output distinguishes what must change now, what must change soon, and what can reasonably wait.

04

Roadmap and Agility

We deliver a sequenced migration roadmap toward the quantum-safe standards, alongside recommendations for crypto-agility and, where appropriate, hybrid classical and post-quantum modes during transition. The durable outcome is agility rather than any single algorithm, because ML-KEM and ML-DSA will not be the last algorithms anyone is obliged to migrate to.

05

Annual Review

An inventory that is not maintained is an inventory that fails at the next assessment, and estates move constantly. PCI DSS puts a twelve-month clock on the review explicitly, and every other scheme expects currency whether or not it names an interval. We re-run discovery annually, refresh the inventory against the estate as it actually stands, and evidence the review.

06

Assessment Support

We assess cryptographic controls for a living, across PCI DSS, ISO 27001, and the technology risk regimes our regulated clients answer to. We therefore understand what evidence an assessor will ask for and in what form, because we ask for it ourselves. The inventory is built to be examined rather than to be filed, and that distinction only becomes apparent under examination.

Why AKATI Sekurity

Cryptographic discovery is an assessment discipline before it is a technology one, and the firms best placed to conduct it are the firms that already assess cryptographic controls for a living. Our credentials are earned, verified, and current.

PCI SSC QSA and ASV

A Qualified Security Assessor and Approved Scanning Vendor, assessing cryptographic controls against PCI DSS in the field

CREST Accredited

Internationally accredited for penetration testing and incident response services

ISO Certified

27001, 27017, 27018, 9001 covering information security, cloud security, and quality management

Since 2007

Offices in KL, Singapore, Hong Kong, and New York, serving banks, regulators, and payment processors across 40+ countries

Frequently Asked Questions

Straight answers on cryptographic inventory, Requirement 12.3.3, and post-quantum exposure, including the answers that do not help us sell anything.

It does not. The word "quantum" does not appear anywhere in PCI DSS v4.0.1, and any vendor telling you that the standard mandates post-quantum cryptography has not read the document they are citing.

What Requirement 12.3.3 does require is that your cryptographic cipher suites and protocols are documented and reviewed at least once every 12 months, which includes active monitoring of industry trends bearing on their continued viability, together with a documented plan for responding to anticipated changes in cryptographic vulnerabilities. It is AKATI Sekurity's view that the post-quantum transition is the largest such anticipated change currently on the public record, and that an inventory built to satisfy 12.3.3 is the same artefact a migration would require in any case. That reading of the standard is our own, and it is not a PCI mandate. We set the argument out in full in our analysis of PCI DSS Requirement 12.3.3 and cryptographic inventory.

It applies in full. PCI DSS appears throughout this page because it is the clearest and most dated expression of the obligation rather than because it is the boundary of who carries one. ISO 27001 requires rules for the effective use of cryptography and an inventory of information assets, neither of which can be evidenced without knowing what cryptography exists. The technology risk regimes our regulated clients answer to, including MAS TRM and BNM RMiT, require the same discipline in less prescriptive language.

And where no obligation applies at all, the exposure does not go away, because it was never created by the regulation in the first place. It is created by the confidentiality lifetime of your data. Source code, intellectual property, patient records, legal files and commercial secrets remain sensitive for years or decades regardless of whether anybody has written a rule about them, and encrypted traffic carrying them can be captured today and read later. The absence of a regulator is not the absence of a risk. It is only the absence of a deadline.

A Cryptographic Bill of Materials is a complete, machine-readable inventory of every cryptographic asset in an environment, covering algorithms, keys, certificates, protocols and the libraries that implement them, and recording where each one runs, what depends on it, and when it expires. A CBOM is to your cryptography what an SBOM is to your software dependencies: the same standard, answering a different question. The format is CycloneDX, the OWASP bill-of-materials standard, which introduced native cryptographic support in version 1.6 and is published as ECMA-424.

The essential characteristic is that a CBOM is discovered rather than surveyed, and the distinction matters more than it sounds. Nobody fills in a form, because forms return the cryptography that people happen to remember. Discovery runs across source code, binaries, configuration, certificate and key stores, and network traffic, in order to establish what is genuinely running, which includes the cryptography that nobody would ever have reported for the simple reason that nobody knew it was there.

It cannot. There is no update to push out and no product that renders an organisation quantum-safe upon installation, whatever the marketing around it may suggest. Post-quantum migration is a programme, not a package.

Cryptography is not a component that can be swapped out; it is a dependency threaded through every library, certificate, protocol handshake, hardware security module, embedded device and third-party product in the estate, very much including the ones you did not build and cannot modify. Migration is therefore a multi-year programme rather than a maintenance window, and its first phase is discovery. Organisations that have started this work report, with some consistency, that discovery alone has taken longer than they originally budgeted for the entire project.

Because of the problem known as harvest now, decrypt later. Encrypted traffic captured today can be stored indefinitely and decrypted at whatever point the capability arrives, which means that for any data carrying a long confidentiality life, including payment data, health records, legal and regulatory material, intellectual property, and commercial or state secrets, the exposure begins at the moment the traffic crosses the network rather than at the moment the hardware comes into existence.

The useful question, then, is not when a cryptographically relevant quantum computer will arrive, since nobody can answer that with any authority. It is how long your data must remain confidential, measured against how long your migration will realistically take. If the first number is larger than the second, you are already late, and no amount of waiting for the estimates to firm up will change that arithmetic.

The standards timeline is not waiting for the hardware in any case. NIST published the first post-quantum standards, FIPS 203, FIPS 204 and FIPS 205, on 13 August 2024, and its draft transition roadmap proposes deprecating widely deployed classical asymmetric algorithms after 2030 and disallowing them after 2035. Migration programmes are routinely measured in years, and the discovery phase alone has consistently overrun the budgets set for entire projects.

The engagement produces a discovered inventory of the cryptography actually running within a bounded scope, and the cardholder data environment is the natural place to begin, on the straightforward grounds that the obligation already exists there and somebody has already drawn the boundary around it.

The deliverable supports Requirement 12.3.3, establishes the organisation's post-quantum exposure, and surfaces a set of findings that matter immediately rather than eventually: expired and orphaned certificates, deprecated protocols still quietly negotiating in production, keys that have outlived the people who owned them, and algorithms that would not survive an assessment conducted this afternoon. It earns its cost well before quantum enters the conversation at all.

Begin With a Bounded Discovery Engagement

A bounded cryptographic discovery engagement establishes what you are genuinely running, delivers a CycloneDX CBOM, identifies your quantum-vulnerable cryptography, evidences the obligations you already carry, and surfaces the certificates and protocols that will fail this year regardless of what happens with quantum computing. The organisations that migrate well are the ones that started with an inventory rather than a strategy.

hello@akati.com  |  akati.com

Featured in

LOGO

logo

Logo

LOGO