"We're not endorsing any discovery tools. But before you bring in a QSA, you really need to use some kind of methodology to find where cardholder data is on the network. Before, we hadn't really talked about using any of these methodologies. We just said you should know where your data is. We are now encouraging people to reach out using one of these discovery methods." - Bob RussoPCI Data Security Council
Merchants and service providers large and small are being asked to comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect sensitive data. The indications are that the next revision of the PCI DSS (v2.0 coming in October 2010) includes requirements for the regular use of data discovery tools. A critical aspect of any PCI compliance effort is the detailed characterization of where sensitive credit card data is flowing through networks and systems. It is important to know all the places where card data is collected in pools as part of normal processes and where it may be caught in eddies along the way, resulting in unexpected or insecure (clear text) storage of card data. Many of these eddies are not even related to the original transaction process but are part of old or disconnected processes.
As a Qualified Security Assessor for the Payment Card Industry, SecurityMetrics has had a lot of exposure to the various places where unexpected card data can turn up and many of the locations are fairly common across organizations. To discover the hiding places where insecure storage is occurring, you need two things: 1) tools to uncover the data, and 2) places to look.
Credit card data search tools can look for just the Primary Account Number (PAN) or they might also be able to identify magnetic stripe data (Track 1 and Track 2) formats. Most tools are based on regular expression search techniques and/or the Luhn (MOD 10) test when a suspect PAN is found. Tools can be open source or commercial products. Some tools are better than others at sorting out false positive results. Most tools can look at file structures and some can be used on disk images to locate hard to find data that may show up in improperly deleted files (unallocated disk space). You may want to consider using multiple tools and techniques during a card data discovery phase. Following is a list of tools that can be used to search for card data:
SENF: http://www.utexas.edu/its/products/senf/
SPIDER: http://www.cit.cornell.edu/security/tools/
EnCase Forensic: http://www.guidancesoftware.com/
CCSRCH: http://sourceforge.net/projects/ccsrch/
Write your own: http://www.regular-expressions.info/creditcard.html
PANScan is a tool developed by SecurityMetrics and is freely available for download. PANscan is an easy to use tool with a low false positive rate and targets the merchant community. Search algorithms used in PANscan are based on proprietary search tools used by the SecurityMetrics computer forensic team. See the following URL for details on PANScan and instructions for downloading the tool (https://www.securitymetrics.com/sm/PANscan/).
Merchants and service providers large and small are being asked to comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect sensitive data. The indications are that the next revision of the PCI DSS (v2.0 coming in October 2010) includes requirements for the regular use of data discovery tools. A critical aspect of any PCI compliance effort is the detailed characterization of where sensitive credit card data is flowing through networks and systems. It is important to know all the places where card data is collected in pools as part of normal processes and where it may be caught in eddies along the way, resulting in unexpected or insecure (clear text) storage of card data. Many of these eddies are not even related to the original transaction process but are part of old or disconnected processes.
As a Qualified Security Assessor for the Payment Card Industry, SecurityMetrics has had a lot of exposure to the various places where unexpected card data can turn up and many of the locations are fairly common across organizations. To discover the hiding places where insecure storage is occurring, you need two things: 1) tools to uncover the data, and 2) places to look.
Credit card data search tools can look for just the Primary Account Number (PAN) or they might also be able to identify magnetic stripe data (Track 1 and Track 2) formats. Most tools are based on regular expression search techniques and/or the Luhn (MOD 10) test when a suspect PAN is found. Tools can be open source or commercial products. Some tools are better than others at sorting out false positive results. Most tools can look at file structures and some can be used on disk images to locate hard to find data that may show up in improperly deleted files (unallocated disk space). You may want to consider using multiple tools and techniques during a card data discovery phase. Following is a list of tools that can be used to search for card data:
SENF: http://www.utexas.edu/its/products/senf/
SPIDER: http://www.cit.cornell.edu/security/tools/
EnCase Forensic: http://www.guidancesoftware.com/
CCSRCH: http://sourceforge.net/projects/ccsrch/
Write your own: http://www.regular-expressions.info/creditcard.html
PANScan is a tool developed by SecurityMetrics and is freely available for download. PANscan is an easy to use tool with a low false positive rate and targets the merchant community. Search algorithms used in PANscan are based on proprietary search tools used by the SecurityMetrics computer forensic team. See the following URL for details on PANScan and instructions for downloading the tool (https://www.securitymetrics.com/sm/PANscan/).