The document outlines the key elements of the PCI DSS card data discovery process, emphasizing the importance of identifying and securing sensitive cardholder data to prevent data breaches. Organizations are advised to conduct comprehensive scans across all platforms and file formats, using appropriate tools to ensure no unencrypted data is overlooked. Accurate scoping and thorough assessments of data storage locations are critical for enhancing data security and compliance with PCI DSS standards.

1. KEY ELEMENTS TO CONSIDER
THE PCI DSS CARD DATA
DISCOVERY PROCESS
Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like
these serve as a reminder for businesses to prioritize data security and strengthen their business environment.
Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued
guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing,
transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to
determine the scope of their PCI DSS assessment accurately and secure card data. Determining the scope
essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft.
It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of
securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk
of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card
Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded
the retention period.
In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data
Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across
the environment. However, before proceeding towards learning about the key elements, let us first understand
the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data
Discovery process.
What is Card Data Discovery in PCI DSS?
Card Data discovery is a systematic process of scanning, identifying, and analyzing sensitive cardholder data that
are confidential, proprietary, and personally identifiable information. The card data typically includes primary
account number (PAN), Service Code, Magnetic Stripe Data, Sensitive Authentication Data (SAD), Card Verification
Code (CVV), and Personal Identification Number (PIN). So, once the Data and Cardholder Data Environment is
discovered, the effectiveness of relevant control systems that support the confidentiality, integrity, and availability
of that data are analyzed. The data which may be stored in the file systems shared drives, databases, and removable
media (CDE) is then accordingly secured or deleted based on the requirement of its necessity/retention period.
Key elements to consider the PCI-DSS Card Data Discovery
process
The process of Card Data Discovery should initially involve reviewing the existing network, data flow diagrams,
and Card Holder Data (CHD) locations. Moreover, a thorough investigation involving interviews with the
stakeholders involved in the storage, processing, and transmission of cardholder data must be conducted. On
completion, we either identify the current scope to be accurate or, define the scope way too less than it is to be. To
accurately define the scope the Card Data Discovery Analyzer must consider the following factors.

2. Scan the entire organizational network–
The main purpose of conducting a card data discovery scan is to identify both known and unknown areas, where
the card data is stored. In all our years of assessing and consulting for PCI DSS, we have seen n number of
organizations scanning only the Card Data Environment (CDE) for Card Data… this is quite silly if you think about it.
A CHD scan is required to confirm where in the organization the CHD is stored; if you are scanning you’re your PCI
Scope systems, then is this a confirmation in any manner that Card Data is not residing anywhere else in your
network?? Therefore, it is essential that the Scanner takes into consideration the entire organization’s network in
the scope of card discovery. So, this process will prevent ruling out any area of scope that may possibly have the
data stored in it unknowingly. Most often data are discovered in the least expected areas that are left out of scope
and are then exposed to a security breach.
Scan across platforms-
The data could typically be stored anywhere, on any platforms, systems, and network. It is therefore essential for
scanners to take into consideration all platforms including network, Cloud, mail servers, operating systems,
database platforms, and file systems when scanning for Card Data Discovery. Ruling out any of the systems,
networks, platforms, or any such similar location will end up remaining out of scope and possibly expose the
sensitive data to breach/theft.
Scan different file formats-
Sensitive Data could possibly be stored in any format (PDF, temp files, XML, PSD, TIFF, DOC, DOCX, RAM dumps)
and file types ( Encoded files, flat files, compressed files, database files, email files, audio files, databases of all
variants including flat files and even image files to name a few). So, as a part of best practice, the card discovery
process should involve scanning of all data storage formats and files thoroughly. Excluding any type could be a
huge risk for organizations looking to secure sensitive data.
Scan systems and applications-
Last but not the least, remember not to miss out scanning systems like hard drives, pen drives, smartphones,
tablets, laptops, desktops, and other computing devices systems and endpoints in a Card Data Discovery
Assessment process. It is very easy to miss out on the most obvious storage or location point when scanning a large
organization for unencrypted card data.
False Positives-
Be wary of false positives in the Card Data Discovery process. This is currently one of the major challenges faced in
the Data Discovery process. False positives could ruin the card Data Discovery exercise and completely hamper the
efforts of securing data and efforts of compliance. Accuracy in data discovery is absolutely critical for it helps
classify sensitive data in an organization and secures it from exposure.

3. © VISTA InfoSec ®
© VISTA InfoSec ®© VISTA InfoSec ®
Data Discovery tools-
Many organizations we see use tools that only scan txt and email but not databases… this in unacceptable.
Organizations must use a comprehensive software tool that typically scans every file, format, storage, operating
systems, networks, and platforms across the organization. Scanning and running through every location and
looking for unencrypted card data is absolutely essential and vital in protecting customer payment data. Investing
in the best tool for scanning and skimming data for card data discovery can greatly benefit the business and
prevent them from ramification of the a data breach.
Conclusion
Organizations should carefully scan their environment to prevent ruling out any possible unencrypted data that
may lead to a breach. Use the right scanning tool and adopt all necessary manual process in scanning systems, and
networks of your organization. Take into consideration the above mentioned key elements and factors when
processing card data discovery and your organization is sure to achieve success in accurately scoping and card data
discovery. Should u need any support or clarifications in defining the scope of your Card Data Environment, do
drop us a line at ask us [@]vistainfosec.com
facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC
Do write to us your feedback, comments and queries or, if you have any requirements:
info@vistainfosec.com
You can reach us on:
USA
+1-415-513 5261
INDIA
+91 73045 57744
SINGAPORE
+65-3129-0397