Data Discovery likely to become mandated in PCI DSS v1.3 / 2.0

Penetration Testing Experts


At long last, the standard finally looks like it will mandate that merchants / service providers conduct regular scans for accidental (leaked) and legacy stores of card data on networks.

I have long advised this, but always got the kick back from merchants that ‘well, it's not in the standard so we're not going to do it', so this would be a most welcome change instead of having to got through the lengthy process of educating merchants that you have to know where your data is, before you secure it.

So where have I found card data before?

In no particular order:

Exchange mail boxes
Test SQL databases
Excel spreadsheets
Microsoft Access (noting it doesn't fall into the proper database category.. :P)
Historical transaction logs
Transaction logs that weren't securely deleted and still hanging around on the file system
In filing cabinets
On the floor round the back of the shredding cabinet
In debug logs
On Post It notes (aren't they great?)
Wireshark trace files

In fact, if you're a merchant and take credit card transactions, then I reckon there's a 90% chance that this information is in places where it shouldn't be, but more importantly, in places you don't know about….

Roll on v1.3. I hope that after a 2 year review process the standard will reflect more than what looked like a day's worth of changes last time.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top