eDiscovery for credit card numbers and PCI DSS compliance

Sep 17, 2009

One of the areas in which 7Safe works is compliance with the payment card security standard PCI DSS.  A big issue within the standard involves the unencrypted storage of debit and credit card numbers, or PANs (Primary Account Numbers), and other associated sensitive data.

As you can imagine, many companies taking credit card payment can inadvertently store such PANs in clear text and not be aware of this until disaster strikes.  Often this disaster comes courtesy of someone (hacker, employee, opportunist) infiltrating the systems that hold the card data, then taking a copy which ends up being used by fraudsters.  There is an active and ready market for stolen credit card numbers and it’s big bucks.

A way of minimising the likelihood of such disasters means ensuring that unencrypted card data is located and remedied, but where to begin?

We have been able to help a number of clients with a consulting service that utilises an internally developed software tool called 7seec.  In essence 7seec scans disks for unencrypted payment card data, is fast (up to 50MB per second), does not write to the disk,  opens and searches nested archives (e.g. zip) and even scans deleted files.  Our consultants are using 7seec on Windows and many Unix flavour systems on a regular basis now. 

Although it sounds simple, 7seec has been continually developed for 2 years and is proves invaluable in both data breach scenarios (being that it is forensically sound) and PCI compliance scanning exercises in searching for cardholder data.