Card Data Discovery Frequently Asked Questions (FAQ)

We handle most common file types including Microsoft Office documents etc. Here is a recent list of file extensions we scan for by default: txt, doc, docx, csv, xls, xlsx, rtf, tsv, bak, bck, bk, bkp, err, log, text, temp, tmp, xml, arc, trc, log, cfg, lck, lok, enr, out, in, sql, msb, dat, ds, is, msg, xsd, plb, nlb, dcr, dcn, aud, htm, rdf, odt, dbf, idx, cdx, bkd, bkl, lst, crd, tmp, 01300, bit, rpt, old, f05, trn, pdf, mdb, one, accdb, mht, zip.

With Enterprise CDD, you can add your own file types/extensions to be scanned.

We have spent multiple years and a significant amount of effort working on reducing false positives from our product results, and with every new release we keep improving this algorithm.

We run multiple filtering passes through the identified data to reduce the number of false positives discovered. Some common and obvious checks are regular expression matching and LUHN/Mod 10 checks, BIN range checks etc. In addition, we have developed some very sophisticated and proprietary algorithms to perform further checks. We also use our experience gained by scanning petabytes of real-world data globally for our various customers through our Card Data Discovery service to keep improving our false positive algorithm. (Most other product companies do not have such real-world experience nor do they have such a high degree of false positive management).

However, sometimes the numbers that we find (despite being valid card numbers) are not really card numbers. Such information can only be gleaned by a human using the context (file or database) in which the number was discovered.

In addition to the false positive management we built into our product, you can also improve the management by including and excluding card brands, files and directories using wildcard patterns etc. Our enterprise CDD software has a high degree and multiple passes of false positive management. We work with our customers to filter out false positives once they provide us the context that is specific to their environment.

Yes, we do.

We do NOT slow down computers or networks when we scan. In fact, we pride ourselves in the very low usage of resources and have been praised by customers who talked to us after trying other products.

We use a sophisticated algorithm, refined over multiple years, to discover all credit and debit card data stored in various files within the scope of PCI DSS. Of course, it includes LUHN checks, BIN checks, and length checks.

The card brands under the PCI DSS scope that we support are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. In addition to the above card brands, users can add their own card brands.

We can scan most Windows operating systems (Windows 7, 8, 10, 2000, 2003, 2008, 2012, 2016), and most Unix/Linux, Solaris, AIX, Apple Mac OS, HP UX, FreeBSD based systems can be searched using CDD.

We support most recent versions of Oracle, Microsoft SQL Server, MySQL, Sybase, DB2, Informix, MongoDB, Cassandra and PostgreSQL.

Yes, we can search through Oracle, Microsoft SQL Server, Sybase, MySQL, Informix, DB2, MongoDB, Cassandra and PostgreSQL databases in your enterprise, all from one location.

We don’t just scan the database files on the disk like other products, we actually scan the data in the database tables and columns and will precisely pin point the location of the data in the database/table and column down to the actual row.

Yes, you can exclude files or directories based on wildcards, e.g., you can exclude *.tmp files or all files in directories such as temp.*

Yes, you can exclude databases, tables or columns based on wildcards, e.g., you can exclude *temp* tables.

Yes – we search for all these data types that fall under PCI scope. Most products only look for the card numbers, which isn’t sufficient for PCI DSS compliance.

Yes, you can enter your own RegEx and we will search for data based on that RegEx. If you don’t feel up to it, we can write the regular expression for you.

Reports are available per scan and include file locations, names, network locations, masked card numbers, type of card, whether it is a PAN, CVV etc. Database reports include information about the server, database name, table, and column name instead of the file location. This data can be extracted into CSV and Excel and can be used for further analysis.

We also provide PDF reports and executive summary reports that can be provided to your QSA or auditor.

Yes – you can set the scan up once and then run it on a schedule. This will ensure that you are continually in compliance with PCI DSS. Scans can be run weekly, quarterly, semi annually and yearly with a lot of flexibility.

Yes, we can. And that too from one place.

No need to install agents on each machine. No need to maintain these agents.

We search through your entire enterprise from one location without taxing any CPU or network resources on the scanned machines.

Our scanning is highly non-obtrusive and we do not tax computing resources to accomplish our tasks. We invite our customers to try out the performance of the software and let it speak for itself.

Yes, you can exclude files that you verify as false positives to show up for subsequent scans.

Yes, we use the BIN ranges from various brands and issuers to further reduce false positives.

Yes, you can look for some common sensitive information (such as US Social Security Numbers [SSNs]), HIPAA information (such as ICD9 and CPT codes), certain driver’s license numbers, ZIP codes, bank routing numbers, UK National Insurance numbers, email addresses, etc. If we don’t support the data that you are looking for, we have the ability to search for data that matches any regular expression and we can help you write that expression and search using that expression. However, due to the nature of the data, the false positive rate for such numbers that cannot be validated is higher.

Yes, you can do all of that.

Yes, we scan Microsoft Exchange (2010 and 2013), Office 365, and Lotus Notes, in addition to Outlook email mailboxes on each workstation, including email attachments. We also can scan IMAP-based email servers.

Yes, we scan Lotus Notes emails and databases.

We do not store credit card data that we discover as is – we mask the digits when we store or report the findings. Hence, we do not increase the PCI scope at all. We don’t store the card data so there is no question of stealing anything from our scanner.

Please contact us for pricing.

Since there are many types of storage, generally speaking, we support any storage that provides itself as a CIFS or native OS based file system in Windows or Linux platforms. However, we have not tested every type of hardware manufacturer’s products and their implementation of CIFS protocols.

Yes, we scan Sharepoint both by scanning the web-based user interface and the backend databases.

Yes, we can look for sensitives or code words and custom word lists.

Yes, we we use Optical Character Recognition (OCR) to search for scanned images.

While we cannot directly scan mainframe systems, we can however scan EBCDIC based files that can be exported from mainframes.

No, the CDD server or scanner can install only on Windows, BUT we can scan Linux servers and machines (among other operating systems).

No, not at all. You install CDD on one server and that is all. You do not have to install CDD everywhere. This is a huge time saver when it comes to maintenance of our product. It is also a huge benefit of CDD in comparison to other products.