General PAN discovery and PCI-DSS FAQs

What is a PAN?

PAN stands for Primary Account Number and is another name for a credit, debit or charge card number. It is the long number across the middle of a payment card and is a key item of cardholder data (CHD).

What's so important about PANs?

If you process, transmit or store PAN data (or any cardholder data for that matter), you must do so in accordance with PCI-DSS requirements. That could apply to anyone from small retailers that accept card payments to huge financial organisations.

What is PCI DSS?

PCI-DSS stands for Payment Card Industry Data Security Standard. PCI-DSS is a set of security standards created by the Payment Card Industry Security Standards Council (PCI SSC). Before the PCI SSC was created, all the major card companies (Visa, MasterCard, American Express etc.) each had their own set of similar security requirements. To avoid the issues involved with meeting several different sets of rules, the card companies got together to form the PCI SSC.

Who needs to be PCI-DSS compliant?

Broadly speaking, anyone who deals with payment cards and card payments. If you’re a company that stores PAN and/or cardholder data (CHD) on your servers and computers, then it’s vitally important that you keep that data secure and well protected – as required by PCI-DSS.

What is panfinder?

There are several different descriptions for the job that PANfinder does. Some describe it as PAN data discovery, some PAN data detection, some data leakage monitoring, others cardholder data discovery (CHD) and others data loss prevention (DLP)… All those descriptions are pretty accurate. Put simply PANfinder scans for and tracks down unprotected PAN data and produces a clear, PCI compliant, report on its findings.

What can panfinder do for my company?

PANfinder will scan your servers and PCs for suspected unprotected PAN data and produce a report that tells you where any suspected PAN data can be found. This can be invaluable information to have at the start of a PCI project, as it will research the extent of your PCI scope. You can then take steps to reduce the number of locations PANs are stored or processed, thus reducing the overall size of your PCI project. All PAN data left after deletetion or consolodation will have to be properly secured. Once you’ve taken steps to secure your PAN data, PANfinder will go to work to see if anything has been missed or if sensitive data is leaking out into unprotected areas.

We already take steps to secure our CHD/PAN data, so I assume we don’t need PANfinder?

If your QSA, auditor/s and company are happy to accept your word that there are no unprotected PANs on your system, that’s great. But we’re increasingly seeing QSAs and Security Managers ask the question: “How can we prove we don’t have unprotected PANs anywhere on the system?” Handing them a PANfinder report can carry a lot more weight than saying “I’ve had a really good look and I couldn’t find any, so you’ll just have to trust me!”

What's a QSA?

QSA stands for Qualified Security Assessor. QSAs are examiners/auditors that need to be certified by PCI SSC before they can assess companies for PCI compliance. If you need to become PCI-DSS certified, you’ll need a PCI QSA to carry out an assessment and provide your certification. A list of PCI QSAs is available on the PCI Security Standards Council website: www.pcisecuritystandards.org/QSAs

Does a clean PANfinder report guarantee my system is 100% free of unsecured PANs?

To coin Ben Franklin's well known phrase: "nothing is certain but death and taxes”. No, PANfinder comes with no guarantee that it will find every last hidden PAN on your system – and if you can find anyone who does make that promise, they’re lying!

Can I try PANfinder before I buy?

Yes, we’re happy to provide free evaluation licenses.

Will panfinder make me pci-dss compliant?

No, becoming PCI compliant can be a huge undertaking for some companies and there is no magic software wand you can wave.

Which PCI_DSS requirements will PANfinder help satisfy?

Aside from the valuable PCI scoping capabilities PANfinder provides (which is as essential part of any PCI-DSS compliance project), there are three PCI-DSS requirements which would apply: Requirement 3.2 states: “Do not store sensitive authentication data after authorization.” Requirement 3.4 states: “Render PAN, at minimum, unreadable anywhere it is stored”. How do you know exactly where you are storing PANs? Requirement 6.4.3 states: “Production data (live PANs) are not used for testing or development” How do you know there are no live PANS sitting on your test and/or development environments?

Is 4tech Software or PANfinder affiliated to any QSA or QSA company?

No, 4tech Software and PANfinder is entirely independent of any QSA or QSA company. We have however consulted with QSAs in the design stages of PANfinder to ensure that we satisfy QSA requirements for locating PAN and Sensitive Authentication Data (SAD).

Will PANfinder make my systems more secure?

No, PANfinder is a data discovery (data mining) tool, not a security tool. PANfinder will, however, provide you with the information you need to ensure your system security is targeted in the correct areas.

Once I'm PCI-DSS compliant, will that mean my systems are as secure as possible?

No. PCI-DSS requirements are a set of minimum standards you need to meet in order that the payment card companies will work with you. It is possible to have far more secure processes, practices and computer networks than those that only just meet PCI-DSS standards.

Can PANfinder also look for SSNs?

Not yet, but it's in development. PANfinder will soon have the option to look for American Social Security Numbers (SSNs) and Canadian Social Insurance Numbers (SINs).

More technical, panfinder-specific FAQs

Can we include/exclude specific card types from a scan?

Yes. PANfinder has many flexible configuration options in terms of what card types it can search for. Examples would be a search for all card types excluding AMEX. Another would be just searching for Visa numbers or just number's issued by a specific bank (BIN/IIN prefix numbers). Many other options are available.

Do you supply a command line version as well as GUI?

Windows customers receive both a GUI and Command Line versions of PANfinder. HP NonStop software is supplied as Command Line only.

Can PANfinder search a specific file set for PAN data?

Yes, PANfinder can be configured to include and/or exclude any number of files and/or documents.

Can pan scans be scheduled?

Yes, the Command Line version can be scheduled to kick off PAN searches as and when required. PANfinder can also be used in Agent mode, so it's constantly scanning files as they're edited.

What impact will PAN searches have on my system performance?

PANfinder performs highly intensive interrogations. While it performs those scans as efficiently as possible, intensive scans by their nature will use CPU cycles. Whether your system is affected by PANfinder and if so, by how much, will vary from system to system, depending on what other processes are running and how powerful your machines are. PANfinder CPU utilization can be adjusted as required to ensure other processes are not negatively impacted. By configuring PANfinder to use less CPU, the time taken to complete a PAN scan will be increased.

Does PANfinder also scan for track data?

Yes, as well as PANs, PANfinder always searches for track data, also known as mag stripe and track1/2 data.

Can I search files based on when they were added/created?

Yes, one of PANfinder's many configuration options give you the option to only scan files with have been created or edited before or after a specified time/date. A practical use of this feature would be where PANfinder is configure only files which have changed since

Does it require SUPER.SUPER privilege to perform the scan on HP NonStop systems?

SUPER.SUPER isn't a requirement, but PANfinder will only be able to access files according to the permissions of the User ID which runs the scan. The User ID running PANfinder requires read access to the files you wish to scan.

If the file permission is denied, is the scan aborted?

No. If PANfinder encounters a file which it can't access it skips the file and logs the event in the report file.

How are the scan's findings output?

PANfinder creates several .csv files. The summary file lists which files have been found to contain PAN and cardholder data. The report file contains much more detailed information, such as lists of suspect PANs and any file opening errors. The level or reporting can be configured to contain as little or much information as you require.

Larger organizations usually utilize the Syslog output to feed scan results directly to a secure SIEM (Security Information and Event Management) server.