Regardless of the search tool you choose you must have some ideas of where to look for card data. As mentioned above, the most important part of this discovery process is to do a thorough analysis of all internal processes involving card data and understand the flow patterns of credit card data throughout any networked computer systems. Obvious locations to search are on the systems directly involved in the storage, processing, or transmission of credit card data. “Eddies” where we typically find insecure card data being stored on these types of systems are web server logs, application or transaction logs, debug output files, etc. Best practice is to search the entire drive of a server involved in e-commerce or Point of Sale transactions.
Databases are also potential eddies. Be sure to check old, outdated database tables no longer in use or tables generated during testing or debug phases. Watch for any sensitive authentication data stored in databases near encrypted columns of data that may have been overlooked that still contain PIN numbers or CVV2 type data.
Another common discovery we make on systems dealing directly with the transaction process is improperly deleted files that had contained clear text PAN data that were not securely wiped from the hard drive. This occurs when you use a normal “delete” function rather than a secure wipe delete. This data shows up in unallocated disk space and is very easy to “reanimate” using simple file recovery tools. If you suspect historical data files or legacy logs were improperly deleted you need to use tools to wipe unallocated disk space (a good tool is eraser, http://eraser.heidi.ie/).
Historical data is one of the biggest card data eddies. You find this type of data in old backups that may remain on network storage or tapes, historical settlement files that you just hate to get rid of “just in case,” files from older versions of POS software, etc. Also, don’t forget to look at decommissioned or reallocated computer resources that may have once been involved in credit card processing that now have other functions or are now located in different network zones.
We often find credit card data in locations outside of the network segments normally thought of as the credit card transaction environment. Following is a quick list of other areas where insecurely stored data swirls in eddies.
Accounting– Processes for balancing the books or doing charge reversals often gather unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media in big rubber banded piles thrown in a storage cupboard.
Sales– Faxed forms containing credit card numbers may be PDFs e-mailed by a network fax or show up in printed form. E-mailed data is especially difficult to locate and clean up due to the extensive backup and rebuild capabilities of e-mail servers to ensure against data loss when one goes down.
Marketing– Copies of transaction history log files or databases containing transaction data are sometimes used for marketing research. They don’t necessarily use the credit card data but it may be there as a passenger.
Development– Copies of production data often make it into development test systems used for debugging or new development testing.
Customer Service– These departments may take credit card numbers over the phone or provide customer service where access to numbers is required. We asked one customer service representative if she ever wrote down credit card numbers; her reply was, “Oh no, of course not, I always put them in this spreadsheet, but I hide the column so no one can see the numbers…”. The file was saved on a shared file server.
Executive Suite– Administrative assistants often create a spreadsheet that contains a company or executive’s credit card number that is needed for quick access when making payments, etc.
Credit card data storage can be pervasive, especially in companies where data has been handled for a long time. It is essential to carefully consider the data flows and the places card data could be hiding and when in doubt, run a data scan. New card data eddies have the tendency to form so it is always a best practice to use discovery tools periodically in areas where you may not think data resides. Don’t think you can find it all once and be done. Data discovery must be an ongoing process. We’re pulling for you and so are card brands. Hang in there and find that data!
Databases are also potential eddies. Be sure to check old, outdated database tables no longer in use or tables generated during testing or debug phases. Watch for any sensitive authentication data stored in databases near encrypted columns of data that may have been overlooked that still contain PIN numbers or CVV2 type data.
Another common discovery we make on systems dealing directly with the transaction process is improperly deleted files that had contained clear text PAN data that were not securely wiped from the hard drive. This occurs when you use a normal “delete” function rather than a secure wipe delete. This data shows up in unallocated disk space and is very easy to “reanimate” using simple file recovery tools. If you suspect historical data files or legacy logs were improperly deleted you need to use tools to wipe unallocated disk space (a good tool is eraser, http://eraser.heidi.ie/).
Historical data is one of the biggest card data eddies. You find this type of data in old backups that may remain on network storage or tapes, historical settlement files that you just hate to get rid of “just in case,” files from older versions of POS software, etc. Also, don’t forget to look at decommissioned or reallocated computer resources that may have once been involved in credit card processing that now have other functions or are now located in different network zones.
We often find credit card data in locations outside of the network segments normally thought of as the credit card transaction environment. Following is a quick list of other areas where insecurely stored data swirls in eddies.
Accounting– Processes for balancing the books or doing charge reversals often gather unencrypted credit card data in files on employee workstations, files stored on shared network file servers, or as printed media in big rubber banded piles thrown in a storage cupboard.
Sales– Faxed forms containing credit card numbers may be PDFs e-mailed by a network fax or show up in printed form. E-mailed data is especially difficult to locate and clean up due to the extensive backup and rebuild capabilities of e-mail servers to ensure against data loss when one goes down.
Marketing– Copies of transaction history log files or databases containing transaction data are sometimes used for marketing research. They don’t necessarily use the credit card data but it may be there as a passenger.
Development– Copies of production data often make it into development test systems used for debugging or new development testing.
Customer Service– These departments may take credit card numbers over the phone or provide customer service where access to numbers is required. We asked one customer service representative if she ever wrote down credit card numbers; her reply was, “Oh no, of course not, I always put them in this spreadsheet, but I hide the column so no one can see the numbers…”. The file was saved on a shared file server.
Executive Suite– Administrative assistants often create a spreadsheet that contains a company or executive’s credit card number that is needed for quick access when making payments, etc.
Credit card data storage can be pervasive, especially in companies where data has been handled for a long time. It is essential to carefully consider the data flows and the places card data could be hiding and when in doubt, run a data scan. New card data eddies have the tendency to form so it is always a best practice to use discovery tools periodically in areas where you may not think data resides. Don’t think you can find it all once and be done. Data discovery must be an ongoing process. We’re pulling for you and so are card brands. Hang in there and find that data!