Card Hunting: Finding Card Data For PCI

Discovery tools for Cardholder Data (CHD) are becoming essential in identifying sensitive data locations that are unprotected in your environment. Suppose you have no information about what sensitive data is in your environment, where it is located, the importance of the data to your company, and who can access it. In that case, you cannot claim that you have adequately protected it.

Multiple data breaches occur when confidential data is processed inadvertently. In general, accidental disclosure, alteration, or loss of sensitive data will result in significant financial, legal or reputational damage to an organization or individual.

Sensitive data includes data such as credit card numbers, Personal Identifiable Information (PII), Social Security Numbers (SSNs), State ID numbers, Biometric Data, Medical Records (PHI), Passwords, Digital Signatures, and Trade Secrets.

See Also: How can you make unreadable stored PAN information?

In today’s digital world, protecting confidential information from theft and vulnerabilities is not as easy as locking the file cabinet. Safeguarding and controlling sensitive data has become more difficult, especially in today’s world, where cloud storage is widely adopted.

However, suppose you pay attention to data protection standards and recognize your data. In that case, you will prevent sensitive information from entering another person’s or organization’s data management systems and becoming vulnerable to data theft or data leakage somehow.

Having sensitive data in a single database is not difficult for management and control. In reality, however, data is continuously circulating within the organization, such as HR databases, business analysis, testing, and decision support, and therefore your job of protecting data becomes difficult. Also, criminals will try to steal what is more comfortable from production servers or POS terminals.

Many companies believe they know what is happening in their databases, but they hardly know what is happening in databases and other network locations. However, software developers, network, and database administrators assure that they do not have credit card details stored in their systems. Many businesses accept this and continue to comply with the PCI usually.

Let’s say your company has developed an application to avoid capturing confidential information. However, one might accidentally run the application in debug mode, so it captures sensitive data. There may be more straightforward situations, such as when an employee innocently sends sensitive information to a colleague during their work. Also, this threat grows as workers work remotely.

See Also: How Can I Protect Stored Payment Cardholder Data?

Voice calls recorded during scanning voice data for organizations such as BPOs, banks, and insurance companies often contain a lot of sensitive data. Similarly, sensitive data in an image format such as .jpg .gif .png .bmp and many other extensions can be hosted in your environment without your knowledge.

Businesses can effectively prevent these data breaches by continually monitoring their activities and implementing data collection systems.

What is PCI DSS Card Data Discovery, Which Data Is Searched?

Card Data discovery is a systematic process for scanning, identifying, and analyzing sensitive cardholder data, confidential, proprietary, and personally identifiable information. Card data typically includes primary account number (PAN), Service Code, Magnetic Stripe Data, Sensitive Authentication Data (SAD), Card Verification Code (CVV), and Personal Identification Number (PIN).

Therefore, when the Data and Cardholder Data Environment is discovered, the effectiveness of the relevant control systems that support the confidentiality, integrity, and availability of these data are analyzed. Data stored on file systems, standard drives, databases, and removable media (CDE) is then adequately secured or deleted according to its necessity and retention period.

What are the PCI DSS Card Data Discovery Requirements?

When an organization tries to comply with PCI, there are stringent rules that require that unnecessary or unauthorized data is not stored in their systems. It is challenging to reveal inappropriate data. Data that is not suitable for you to keep is often hidden in uncertain systems or buried under folder layers.

See Also: Parts of a Debit or Credit Card and How They Work

Organizations use the cardholder data discovery process to analyze workstation and server contents, including memory storage in retail POS systems, to verify that credit card information is not stored securely.

Using a powerful program that checks and thoroughly searches card data in file systems and databases is the only real way to make sure no inappropriate data is circulating in your environment.

Various studies have shown that pending fishing of unencrypted credit card data plays a critical role in securing customer payment data.

Common risks that you should know are as follows:

  • Payment gateways send/receive encrypted vendor-server information. Card data is dumped into a text or XML file due to improperly configured gateways.
  • Payment data stored on desktop, iCloud, Google Drive, etc. It is continuously synchronized with smartphones and tablets beyond the perceived corporate environment due to cloud synchronization technologies.
  • Email is probably the number one place where card data from several endpoints was discovered.

Treating cardholder data discovery as a priority rather than a luxury would be a massive step towards promoting data protection for customers and preventing your business from becoming another headline for data breaches.

See Also: What do credit card numbers mean?

Card data on smartphones, tablets, laptops, or other BYOD computing endpoints should not be forgotten. When looking at cardholder data discovery, there is a lot to consider, as undiscovered cardholder data threatens your PCI compliance and brings a great openness to your organization. Well, would you like to take this risk?

Card data discovery tools are essential to ensure security and compliance at the start of a PCI DSS program and after compliance.

PCI DSS requires the assessment scope to be checked to ensure the coverage is correct. Discovery of unencrypted card data is required under PCI DSS Standard Requirement 3.1. Therefore, companies’ important factor is to understand the best approach to follow for researching card data.

Card data discovery should be made annually. Although documented coverage means that no cardholder data is stored, some cardholder details may still be left in the documents by mistake.

Such credit card information may be excluded from operations before complying with PCI DSS or may violate customer credit card procedures.

Discovery of unencrypted card data is required under PCI DSS Standard Requirement 3.1. Therefore, companies’ important factor is to understand the best approach to follow for researching card data.

See Also: What are the PCI DSS Data Retention and Disposal Requirements?

One of today’s most significant operational threats concerns data stored in unrecognized storage points. Accidental processing of card data is one of the first triggers of a hack. Therefore, to reduce risk, organizations must securely handle and remove cardholder data that exceeds the retention period every three months.

Organizations should consider the following five factors on PCI DSS Card Data Discovery and when scanning card data:

  • The card data discovery range should be enterprise-wide: The purpose of a card data discovery exercise is to find the locations where card data is stored. Therefore, the scope of card research should include the entire organization and not be limited to the PCI DSS Coverage or Card Data Environment (CDE) only. In most cases, you will find card data stored in places you least guessed.
  • Data can be stored on different platforms: All systems, databases, networks, and file systems should be thoroughly scanned. Organizations believe that using data loss prevention software will do the job, but DLPs do not support many databases, operating systems, clouds, voice platforms, and mail servers. The consequence of using DLP is that sensitive data locations remain unknown.
  • Agent-less discovery tools: Agent-based card data discovery tools are more suitable for large networks with less than 100 network systems. It takes more time to open each file and work on it for possible card numbers or data than any vulnerability assessment tool. It is best to run an agent-based tool during periods of low usage.
  • Card data can be stored in different formats: Data can be stored in any file, including temporary files and RAM dumps. Therefore, any card discovery exercise should include all possible data storage formats.
  • False positives are one of the biggest obstacles in the data discovery process: In any discovery application, data accuracy is critical. Data validation is essential because the classification of new data aids in efforts to protect and comply. However, the results need to be monitored and checked over time and the process iterated.

The Card Data Discovery process should initially include reviewing the current network, data flowcharts, and Cardholder Data (CHD) locations. Besides, extensive research should be conducted, including interviews with stakeholders regarding the storage, processing, and transmission of cardholder data. Once complete, it should accurately determine the current coverage.

Many licensed and open source tools search servers, networks, and databases for cardholder data. You can find these tools below.

What Are Licensed Credit Card Discovery Tools?

There are advanced tools that can search for PAN in several places. Generally, these tools will work well in large heterogeneous environments. You can evaluate the card discovery tool you can use based on your scoping exercise results and by determining which specific tools are right for your environment.

You can fulfill the PCI DSS card discovery requirement with licensed card discovery tools such as Nessus, Ground Labs Enterprise Recon, Security Metrics PANScan, and Controlcase CDD.

Nessus

Nessus, a network vulnerability scanner, has a Windows File Content Compatibility Check plugin (plugin ID #24760) for Windows systems configured to find specific data types.

Nessus also provides pre-made audit files for common types of sensitive data such as credit card numbers, social security numbers, and driver’s license numbers. All of these audit files are covered by most state warranties for infringement reporting.

After providing file system access credentials, Nessus will identify systems that failed to track PCI compliance. It would be convenient to configure Nessus to show the data’s location and mask the information it finds so that the data is not exposed to another location. Viewing all content in a Windows box can take a long time, so you might want to consider breaking down the search by a network.

Ground Labs Enterprise Recon

Enterprise Recon is software for data discovery and compliance that allows organizations to find and fix sensitive data across platforms.

Enterprise Recon natively supports sensitive data discovery on Windows, Macros, Linux, FreeBSD, Solaris, HP-UX, and IBM AIX.

Enterprise Recon also supports sensitive data discovery with agentless and agentless options. Additional remote options also allow searching virtually all stored network data, including hosts from EBCDIC IBM.

Ground Labs Card Recon

Card Recon scans files, memory, and even deleted locations on workstations and file servers while analyzing hundreds of file types to reliably identify credit card numbers provided by major payment card brands.

Card Recon can identify credit card information stored in a wide variety of different storage formats, including office records, email clients, and even multi-layer zip files.

Security Metrics PANScan

Security Metrics PANscan finds unencrypted payment card data on your computers so that any sensitive data found can be securely deleted or encrypted. PANscan identifies primary account numbers and magnetic stripe tracking data in computer systems, hard drives, and storage devices attached to them.

ControlCase Data Discovery

ControlCase Card Data Discovery (CDD) software is a tool used to scan unencrypted and critical data in file systems such as those produced from Office 365 and scan card data in most proprietary and open source databases, computers, and drives.

Generally, CDD is a fast card data scanner. It uses minimal resources and does not require plugins or tools on scanned machines. This allows you to identify PAN, tracking data, PIN, CVV, or other unencrypted sensitive data that is unintentionally stored at a location within your network.

What Are Open Source Credit Card Discovery Tools?

There are also open-source tools that can search for PANs such as Ccsrch, Panhunt, Pantastic, and PANBuster, and these often work best in simple, small environments. Also, some open source card discovery tools can run locally on the scanned device.

Open source credit card discovery tools also reveal many false positives. They only work with flat files and cannot query PAN databases. However, they are a good starting point for PAN screening and discovery. Also, the need to analyze scans’ results, delete false positives, and fix unconfirmed data storage can be somewhat challenging.

Panhunt

PANhunt is a fast converted Python file, a standalone executable file that can be run via USB. It uses regular expressions in documents and email files to find card data. It can search Word documents, TXT files, Excel spreadsheets, PST, and XML files to search for Visa, MasterCard, and American Express card numbers.

PANhunt also searches ZIP files recursively. PANhunt will generate a report listing the masked PANs identified. Some system files can produce false positives, but you can exclude Windows system directories by default.

With PANhunt, text files can be easily searched using regular expressions to match various credit cards.

CCSRCH

CCSRCH is a cross-platform credit card (PAN) file system search tool for security assessments. Ccsrch is a tool that monitors data on Windows and UNIX operating systems that searches and identifies unencrypted and adjacent credit card (PAN) numbers. Also, it will recognize the PAN data location in the files and record the MAC times.

Pantastic

Pantastic scans your computer for credit card PANs. The Pantastic script includes configurations to ignore IINs, master identifiers, specific card numbers, file types, and deprecated issuers.

The script evaluates and classifies card numbers in various sector types from 12 to 19 digits longitudinally. Pantastic determines the cards by IIN and Luhn checks. Cards are defined as single-digit or even multi-digit groups. Different methods are also included to help detect false positives.

PANBuster

PANBuster is a potent command-line tool that helps define PAN and track data. PANBuster supports Windows, Linux, and IOS systems. PANBuster identifies card brands such as VISA, MasterCard, American Express, JCB, Discover, or China Union in cache or files. It can parse compressed files in memory and detect PAN data in MySQL data file, MSSQL backup files, PostgreSQL, Oracle Dump files.

CardScan4Linux

CardScan4Linux script can locally scan any Credit/Debit card data through files stored in Linux. CardScan4Linux is lightweight and does not require any additional Python library.

How to Choose the Best Data Discovery and Scan Tool for PCI Compliance?

The essential criteria that you would want to have in a data exploration method to scan your PCI DSS compliance and card data are as follows:

Different formats and Sources: The card data scanning tool should be flexible enough to identify data in other formats and should be able to scan data in multiple formats, including audio, excel, zip files, text documents, pdf files, images. The card data finder should also have the ability to scan various systems such as Windows servers, IBM Aix servers, Oracle and Service databases, MySQL databases, Solaris servers, Linux systems (Ubuntu, CentOS).

Take Action to Correct: The tool to help locate your card data must be able to identify non-compliant data, as well as mask, truncate or delete unencrypted payment card data stored in network systems, hard drives, databases, and emails. Also, it is essential that it can generate reports that meet PCI DSS compliance.

1. Know Your Files and Data Scope

When working on a file, it is essential to know if there is any hidden data. Some helpful tips include:

  • Keep track of the types of confidential information stored in your environment.
  • Identify the servers or storage devices that usually contain these types of files.

2. Consider data retention needs

When you finish using/examining a file containing sensitive data, it is essential to consider whether it will be stored.

  • Does saving the file serve a business need?
  • Is there a contractual or legal requirement to retain or comply with information?

3. Remove sensitive data that is no longer needed

It’s best to remove files that contain confidential information and don’t need to be kept. When it comes to sensitive data, remember that less is more! Especially get rid of all your organization’s unencrypted data.

4. Protect sensitive data that needs to be protected

If sensitive data needs to be stored, it must be protected. Here are some easy measures you can take to enhance the protection of sensitive data:

  • Encrypt all necessary data to be stored.
  • Grant need-to-know-based access only.
  • Do not use removable media to store confidential data.
  • Scan sensitive data quarterly or monthly.
  • What are the common hiding places for payment card data?

Payment card data can leak into networks due to poor processes or misconfigured applications, including those that should not store sensitive data. Common places where you can store your credit card information are:

  • Error logs
  • Accounting departments
  • Sales departments
  • Marketing departments
  • Customer service representatives
  • Administrative assistants

7 Tips on Finding and Storing Secure Card Data

The Discovery of data is not a one-off process. It is necessary to schedule scans at regular intervals to ensure PCI compliance at all times.

A thorough investigation is required to identify cardholder data properly. Initially, the research should include a review of the existing network, data flow diagrams, CHD locations, and discussions with stakeholders regarding the storage, processing, and transmission of cardholder data.

When this process is complete, either the current scope is determined correctly, or it turns out that the specified scope is much smaller. Changes can be made with both program managers and communicating data managers.

Thus, known locations must be established at this stage; but how can you verify that the specified locations contain all cardholder data both within and outside the PCI scope? Data is often stored outside of unexpected locations, and it is essential to identify those locations. In short, this is called data leakage.

Due to insufficient coverage of an environment, the controls necessary to protect cardholder data during storage will be complicated or not enforced at all. This is where card scanning and discovery software can help with card scanning.

  • Interview Employees: Find out how various departments are working with card data.
  • Card flow diagram: Know where and how your systems interact with card information.
  • Use Software: Run a card data discovery tool to scan card data.
  • Secure Data: Correctly delete or encrypt card data.
  • Restrict Access: System access should only be available to approved personnel.
  • Consider Data Storage: Avoid saving card data when you don’t need it.
  • Network segmentation: Isolate card data from other networks by reducing the number of devices that store, process, or transmit it.
Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

5 COMMENTS

  1. Greetings! Very useful advice in this particular article! It is the little changes that produce the most significant changes. Thanks for sharing!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Latest posts

What You Need to Know About PCI Validated Point-to-Point Encryption (P2PE) Solutions

P2PE, or point-to-point encryption, is a security standard developed by the Payment Card Industry (PCI) to ensure that payment card data is encrypted from the start to the finish of a transaction.

Email Security Best Practices

Most organizations rely heavily on emails for their daily business communication, but email remains one of the most common vectors businesses are attacked. This is why it is essential to implement email security best practices.

What Is Documentation Security and Why It Matters?

Documentation security is the maintenance of all essential documents stored, filed, backed up, processed, delivered, and eventually discarded when they are no longer needed.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!