PQC Readiness for QSAs: Preparing for the PCI DSS 12.3.3 Annual Review

PCI DSS v4.0 Requirement 12.3.3 became enforceable on April 1, 2025. QSAs are now conducting second-cycle annual reviews against it, and organizations that produced a minimal inventory to pass the first cycle are surfacing gaps they did not anticipate. At the same time, NIST finalized FIPS 203, 204, and 205 in August 2024, and federal agencies operating under NSM-10 are actively migrating away from RSA and ECC. PCI SSC has issued no standalone PQC guidance as of early 2026. That silence is not a safe harbor — it is an audit liability, and QSAs are already encountering clients who have no answer when asked how their response strategy addresses quantum-vulnerable algorithms.

What 12.3.3 Actually Requires — and Why Its Flexibility Creates Audit Risk for PQC-Unprepared Teams

PCI DSS v4.0 Requirement 12.3.3 specifies three enforceable elements: a documented inventory of all cryptographic cipher suites and protocols in use, named ownership for that inventory, and a documented response strategy covering how the organization will address vulnerabilities in those algorithms.^{[PCI SSC]} The standard is deliberately algorithm-agnostic — it does not enumerate which algorithms are quantum-vulnerable or mandate PQC migration on any timeline.

That flexibility has a consequence: organizations bear the interpretive burden. A QSA reviewing a 12.3.3 response strategy has no PCI SSC PQC mandate to check against, but they do have a professional obligation to assess whether the strategy is credible given current threat intelligence. An organization whose response strategy contains no reference to NIST IR 8547 deprecation timelines or FIPS 203/204/205 migration targets cannot demonstrate that its strategy is informed by the current cryptographic risk landscape. That is an audit finding waiting to surface, not a theoretical concern.

Mapping Your Cryptographic Inventory to NIST IR 8547 Deprecation Timelines

A 12.3.3-compliant inventory documents what is deployed. A PQC-ready inventory also classifies each asset by deprecation risk. NIST IR 8547 (initial public draft) establishes the deprecation framework for RSA and elliptic-curve algorithms, with use of RSA and ECC for key establishment and digital signatures targeted for disallowance after 2030, and full deprecation by 2035.^{[NIST IR 8547]} Mapping your inventory entries against those timelines converts a compliance artifact into a migration planning tool at no additional effort.

Non-TLS environments are consistently under-inventoried in first-cycle 12.3.3 submissions. HSMs used for PIN block encryption and key wrapping, internal system-to-system APIs using RSA for session key exchange, and long-lived certificate chains protecting tokenization infrastructure all carry quantum exposure that TLS-focused inventories miss. Mapping PCI DSS 12.3.3 to a full cryptographic asset register — including hardware and non-network layers — is the remediation step most organizations face entering their second review cycle.

Each inventory entry should capture: algorithm and key length, protocol context, data classification of what the algorithm protects, asset owner, and the applicable NIST IR 8547 deprecation category. This schema supports both the 12.3.3 ownership requirement and the response strategy's prioritization logic without creating parallel documentation.

Writing a Response Strategy That Satisfies QSAs and Survives a PQC Gap Assessment

The response strategy is the element most frequently treated as a narrative placeholder. For QSAs conducting second-cycle reviews, a credible response strategy needs auditable internal milestones, not a statement of intent. NIST finalized FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) in August 2024 — these are the concrete migration targets an organization can reference today, even in the absence of PCI SSC PQC mandates.^{[NIST FIPS 203][NIST FIPS 204][NIST FIPS 205]}

NSM-10, issued in May 2022, directs federal agencies to complete migration of national security systems to quantum-resistant cryptography by 2035.^{[White House NSM-10]} Payment organizations are not subject to NSM-10, but the 2035 endpoint provides a credible external benchmark for structuring internal milestones. A response strategy that references NIST IR 8547's 2030 disallowance and 2035 deprecation dates, and sets internal review gates against those horizons, demonstrates that the organization is tracking the authoritative deprecation framework.

Specific milestone types that QSAs find credible include: vendor PQC roadmap assessments completed by a named date, non-production algorithm testing for FIPS 203 or FIPS 204 on a defined schedule, and HSM replacement or firmware upgrade planning tied to FIPS 140-3 PQC module availability. The FIPS 140-3 validation gap — no PQC algorithm currently holds a validated module — means HSM roadmap items should acknowledge this dependency explicitly rather than omitting it. Understanding the current FIPS 140-3 PQC validation gap is essential context for writing HSM milestones that a QSA will read as informed rather than aspirational.

What "Active Monitoring" Looks Like to a QSA in a Quantum Context

Requirement 12.3.3 specifies that the cryptographic inventory must be actively monitored, with ownership assigned.^{[PCI SSC]} In practice, QSAs are looking for evidence that monitoring is proceduralized, not asserted. Credible evidence includes: documented review cadence (at minimum annual, tied to the 12.3.3 review cycle), defined out-of-cycle triggers such as new algorithm deprecation guidance from NIST or a material change to HSM firmware, and named individuals with update responsibility.

Quantum threat intelligence is a legitimate monitoring input when framed accurately. Harvest-now-decrypt-later collection activity — where adversaries capture encrypted payment data today for potential future decryption — is a documented threat model relevant to long-lived cardholder data, tokenization keys, and HSM-protected secrets. Referencing this threat model in monitoring documentation is appropriate; overstating the imminence of cryptographically relevant quantum computers is not. The monitoring record should cite NIST IR 8547 and FIPS 203/204/205 publication dates as evidence that the standards landscape is active, which is factually accurate and auditably defensible.

Integrating 12.3.3 Testing Procedures with a PQC Gap Assessment

The testing procedures for 12.3.3 verify that the inventory exists, is documented, has named ownership, and is reviewed at least annually.^{[PCI SSC]} These procedures do not evaluate the technical completeness of the inventory or the credibility of the response strategy's PQC coverage. Organizations that scope-limit their inventory to TLS endpoints, for example, can satisfy the testing procedure criteria while leaving HSM key hierarchies and inter-service encryption entirely undocumented.

A PQC gap assessment addresses the technical layer the 12.3.3 testing procedures do not reach: it identifies which quantum-vulnerable algorithms are in use, where they appear in the cryptographic architecture, what data they protect, and what the migration dependency chain looks like. A structured PQC readiness assessment framework aligned to NIST IR 8547 deprecation categories can feed directly into the 12.3.3 inventory and response strategy, avoiding redundant work and eliminating the risk of conflicting findings between the compliance artifact and the technical assessment.

Practically, the schema used in the gap assessment — algorithm, key length, protocol, data sensitivity, deprecation risk — should be identical to the schema used in the 12.3.3 inventory. Running two parallel inventories with different taxonomies creates inconsistencies that surface during QSA evidence review.

The QSA's Role: Questions to Raise Before the Client Does

QSAs have a professional interest in raising PQC exposure before it becomes a finding they could not have anticipated. The following questions are grounded in current standards and appropriate to introduce during scoping or pre-assessment discussions:

• Does your 12.3.3 inventory include HSMs, internal key management systems, and system-to-system APIs, or only network-layer TLS?
• Does your response strategy reference NIST IR 8547 deprecation timelines for RSA and ECC?
• Have you assessed your HSM vendor's published roadmap for FIPS 140-3 PQC module support?
• Does your out-of-cycle monitoring trigger definition include NIST algorithm deprecation publications?
• Has your organization reviewed FIPS 203, 204, and 205 as candidate replacement algorithms for your quantum-vulnerable key establishment and signature schemes?

None of these questions assert that PQC migration is currently required under PCI DSS. All of them are defensible against the existing 12.3.3 text and the current NIST standards landscape. Raising them now positions the annual review as a PQC readiness accelerator rather than a checkbox exercise — and gives clients the lead time to address gaps before PCI SSC formalizes PQC requirements, which most practitioners expect to occur within this planning horizon.

Before the next annual review cycle, download the PCI DSS v4.0 standard from the PCI SSC Document Library and compare your current 12.3.3 response strategy against NIST IR 8547's deprecation categories for RSA and ECC. If the strategy contains no reference to the 2030 disallowance or 2035 deprecation timelines, that gap should be closed before the QSA raises it.

Key Takeaways

• PCI DSS v4.0 Requirement 12.3.3 has been enforceable since April 1, 2025. Second-cycle annual reviews are underway, and gaps in first-cycle inventories are surfacing.
• PCI SSC has issued no standalone PQC guidance as of early 2026. This is not a safe harbor — it transfers interpretive burden to the organization and creates audit risk for teams whose response strategies do not engage with NIST's published deprecation framework.
• NIST IR 8547 targets RSA and ECC for disallowance after 2030 and full deprecation by 2035. These timelines are available today as structuring anchors for 12.3.3 response strategies.
• FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), finalized August 2024, are the concrete migration targets organizations can reference in their response strategy without waiting for PCI SSC guidance.
• Non-TLS environments — HSMs, internal key management, system-to-system APIs — are consistently under-inventoried in 12.3.3 submissions and carry significant quantum exposure.
• QSAs should raise PQC coverage questions during scoping, not after evidence collection. The 12.3.3 annual review is the most natural existing forcing function for advancing client PQC readiness.
• A PQC gap assessment and a 12.3.3 inventory should use the same taxonomy to avoid conflicting findings during QSA evidence review.

Related Reading

On this site:

• How PCI DSS 12.3.3 turns cryptographic inventory into a PQC audit obligation
• NIST IR 8547's 2030 and 2035 deprecation deadlines explained for compliance teams
• Why no FIPS 140-3 validated PQC module exists yet and what it means for HSM planning

Primary sources:

• NIST IR 8547: Transition to Post-Quantum Cryptography Standards (initial public draft)
• NIST FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
• PCI SSC Document Library: PCI DSS v4.0 and supporting guidance

This article draws on primary documentation from PCI DSS v4.0 (PCI Security Standards Council), NIST IR 8547 (initial public draft), NIST FIPS 203, FIPS 204, and FIPS 205, and NSM-10 (White House, May 2022). All claims verified against official sources as of April 2026.