By using PANfinder to scan each of your systems for unprotected PAN data, you can ensure there are no live PANs residing in unknown locations and therefore no valuable card data available for hackers to steal. PANfinder also provides you with a way of proving that all PANs on your system are being stored in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
PANfinder Key Features
- PAN discovery & PCI-DSS scoping tool
- Extremely accurate - Intelligent false-positive reduction
- Several FASTscan™ options
- SIEM integration via Syslog
- Agent mode option
- Minimal CPU performance impact
- Configurable search criteria
- Automated searches and reports
- Scanning of open and locked files
- Helps meet PCI-DSS 3.2, 3.4 and 6.4.3
- Clear, PCI compliant reports produced
Do You Need PANfinder?
Fact: all companies know the exact routes that PANs take when they're processed through their computer systems. And all companies know where PANs are stored and how they're protected, correct? And all companies are 100% confident that no card data is being leaked to other sources, right? While that is the case for the vast majority of firms, there's a small minority of well-documented companies who were totally unaware about the buried trace files that were logging readable PANs... or the contractor who had copied a chunk of live data over to their test system... or the the malicious code which was duplicating unencrypted card data over to a hidden folder... The unfortunate thing for that minority of firms was that they all thought they knew exactly where their card data was, but they were wrong. Do you need a PAN search tool? Only you can answer that question.
PANfinder is only available for HPE NonStop servers
False Positive Reduction
You can never totally eradicate false-positive results - if you did, it's highly likely you'll be excluding genuine PANs from your results as well as the false-positives you're trying to avoid. To ensure PANfinder reports are of the highest possible quality, we've done a great deal of work on building in intelligence, such as (but not limited to) Luhn algorithm (aka Luhn formula) checks on all suspected PANs, to help ensure false-positives are the exception rather than the norm. It's easy to import your own regularly updated BIN/IIN database into PANfinder, making sure even the most recently issued payment cards are searched for.
One of the many user-friendly configuration options available to PANfinder users is the ability to search specifically for known test PANs - a great way of carrying out specific data leaks tests. On the flip-side, test PANs can also be excluded from PANfinder searches, eliminating the need to manually remove known test PANs from search results.
PANfinder has many flexible configuration options for how and when it performs its searches for PANs. You can schedule individual PAN scans or run in agent mode, where PANfinder constantly runs in the background, just scanning files as and when they're added/edited. Specific files and folders can be included or excluded as required, plus many more configuration options designed to suit each customer's individual environment.
Reports and SIEM integration
Summary and Detailed reports are generated as CSVs, making storage and analysis easy. As you would expect, the content of reports conforms to PCI-DSS requirements in terms of PAN-masking.
PANfinder's Syslog output can be used for integration into Security Information and Event Management (SIEM)/enterprise audit logging solutions such as LogLogic and RSA enVision etc.
PANfinder has several features designed to increase the speed of its data discovery scans.
Change-detection: once an initial scan has been carried out, PANfinder can be set to only look at files which have been changed/edited since its previous scan - vastly increasing overall scan speeds and reducing CPU overhead.
Summary Scan: PANfinder can be configured so that once a predefined number of suspect PANs have been found in a file, PANfinder will stop searching that file and move on to the next one. So rather than creating a huge list of suspect PANs, you're just creating a list of files containing suspect PAN data.
PANfinder can also be configured to only search files which have previously been identified as containing suspect PAN data - ideal for checking successful removal or encryption of PAN data.
PANfinder is quick and easy to install. A quick-start guide plus full product documentation is provided.
Our standard pricing model is based on an annual Term License, with discounts available if you commit to more than one year. All support, updates and enhancements would be included with the license fee. For further pricing details please contact us.
For a free no obligation evaluation of PANfinder please click here.
PANfinder and PCI-DSS
PANfinder is a PCI DSS Scoping tool.
Page 10 of PCI DSS V3.2: "The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope... ...The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined CDE (Cardholder data environment)."
Requirement 3: Protect stored cardholder data.
Requirement 3.4 states “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)”. Can you be 100% sure live PANs aren't being copied to logs, trace files and other unknown locations? Find out for FREE by taking the PANfinder challenge.
PCI-DSS requirement 6.4.3 states “Production data (live PANs) are not used for testing or development.” Can you be absolutely sure there are no live PANS sitting on your test and/or development boxes?
PCI-DSS "Requirement Zero"
Verizon PCI report on automated data discovery states: "...many in the industry are calling for a “Requirement 0,” mandating automated data discovery. This would alleviate the issue of organizations only looking at data in locations where it’s supposed to be — within the existing card data environment — and neglecting to confirm that card data is not present elsewhere. This isn’t a requirement yet, but we’d recommend that organizations adopt this approach to keep their customer’s data is safe and simplify their compliance maintenance efforts.”
HP NonStop file formats searched
- Enscribe Structured files (key-sequenced, entry-sequenced and more)
- Enscribe unstructured files
- Edit files
- SQL/MP tables
- PAK files
- All files in Guardian and OSS environments