PANscan - SecurityMetrics

Transcription

SecurityMetrics
PANscan
™
QuickStart Guide
2 | SecurityMetrics | Introduction
SecurityMetrics | TOC | 3
Contents
Chapter 1: Introduction........................................... 5
Software License Agreement—Terms of Use................................... 6
Executive Summary........................................................................... 8
PANscan Product Overview.............................................................. 9
Chapter 2: Interface Components......................... 11
Register.............................................................................................12
Scan.................................................................................................. 12
Results.............................................................................................. 13
Settings............................................................................................. 14
Help.................................................................................................. 14
Chapter 3: Install PANscan................................... 17
Platform Requirements.................................................................... 18
Operating System, Tools and Environment Requirements.............. 18
Run the PANscan Download...........................................................18
PANscan AutoUpdate...................................................................... 21
Chapter 4: Register Tab.........................................23
Activate Registration........................................................................24
Chapter 5: Scan Tab...............................................25
Run a Scan....................................................................................... 26
Scan in Progress...............................................................................26
Scan Canceled.................................................................................. 28
Scan Complete................................................................................. 28
Chapter 6: Results Tab.......................................... 31
Monitor Detailed Scan Results........................................................ 32
Manage Scan Details....................................................................... 34
Reconcile Scan Results....................................................................35
Chapter 7: Settings Tab......................................... 37
Scan Locations................................................................................. 38
Files Excluded..................................................................................38
4 | SecurityMetrics | TOC
Chapter 8: Help Tab...............................................41
Getting Help.....................................................................................42
About PANscan....................................................................42
Chapter 9: Uninstall PANscan...............................43
Remove PANscan............................................................................ 44
Chapter 10: Send Feedback................................... 45
Chapter 11: Frequently Asked Questions.............47
PANscan™ Frequently Asked Questions.........................................48
Chapter 12: Glossary..............................................51
SecurityMetrics® Glossary List....................................................... 52
Account Number .................................................................52
Acquirer................................................................................52
ASV...................................................................................... 52
BIN (Bank Identification Number)......................................52
Cardholder Data................................................................... 52
False Positive....................................................................... 52
False Negative......................................................................52
Magnetic Stripe Data........................................................... 53
Masking................................................................................ 53
PAN...................................................................................... 53
Point of Sale.........................................................................53
Qualified Incident Response Assessor.................................53
Track Data............................................................................53
Truncation............................................................................ 53
Chapter
1
Introduction
Topics:
•
•
•
Software License
Agreement—Terms of
Use
Executive Summary
PANscan Product
Overview
PANscan™ from SecurityMetrics® helps merchants
avoid data compromise by identifying data leaks caused
by non-compliant or improperly configured payment
applications or improper handling and storage of credit
card data.
PANscan does this by detecting stored payment card
data violations, helping merchants comply with current
Payment Card Industry (PCI) mandates.
Software License Agreement—Terms of Use
The SecurityMetrics® PANscan™ SOFTWARE is protected by copyright laws
and international copyright treaties, as well as other intellectual property laws and
treaties.
The SOFTWARE is licensed, not sold.
The intellectual property rights in the SOFTWARE shall at all times remain the
exclusive property of SecurityMetrics, Inc. or other identified owner. By executing
this Agreement User obtains a limited license to Use the SOFTWARE in executable
form. User agrees to use due diligence to safeguard and protect the SOFTWARE as
the valuable trade secret and exclusive property of the owner of the SOFTWARE.
User will at all times use due diligence to safeguard and protect all such confidential
and proprietary information pertaining to the SOFTWARE. User will ensure that
all marks, notices or legends pertaining to the origin, identity or ownership of the
SOFTWARE remain intact and clearly legible.
Except as expressly granted to User under another provision of this Agreement,
Licensor reserves to itself and prohibits User (directly or indirectly, in whole or
in part) from loaning, renting, leasing, sublicensing or otherwise distributing or
operating the SOFTWARE to or for the benefit of any third party, and from altering,
adapting, translating or preparing any derivative work of the SOFTWARE. The
foregoing limitation does not prohibit Authorized Operators from making a copy of
the SOFTWARE for archival purposes or as an essential step in making Permitted
Uses of the SOFTWARE in the Licensed Operating Environment.
GENERAL DISCLAIMER
SecurityMetrics, Inc. reserves the right, in its sole discretion and without any
obligation, to make improvements to, or correct any error or omissions in any
portion of the SecurityMetrics PANscan or the associated materials.
EXCEPT AS EXPRESSLY SET FORTH ABOVE, SECURITYMETRICS
MAKES NO REPRESENTATION OR WARRANTY OF ANY KIND,
EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, TITLE, NONINFRINGEMENT OR ARISING FROM A
COURSE OF DEALINGS, USAGE, OR TRADE PRACTICE. FURTHER,
SECURITYMETRICS DOES NOT WARRANTY THAT THE SOFTWARE
IS ERROR FREE OR THAT BUYER WILL BE ABLE TO OPERATE THE
SOFTWARE WITHOUT PROBLEMS OR INTERRUPTION.
IN NO EVENT WILL SECURITYMETRICS OR ITS AFFILIATES OR
SUPPLIERS BE LIABLE FOR ANY LOSS OF USE, INTERRUPTION OF
BUSINESS, LOSS PROFITS, OR LOST DATA, OR INDIRECT, SPECIAL,
INCIDENTAL, OR CONSEQUENTIAL DAMAGES, OF ANY KIND
REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT,
TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE,
SecurityMetrics | Introduction | 7
EVEN IF SECURITYMETRICS OR ITS AFFILIATE OR SUPPLIERS
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, AND
WHETHER OR NOT ANY REMEDY PROVIDED SHOULD FAIL OF ITS
ESSENTIAL PURPOSE. THE TOTAL CUMULATIVE LIABILITY TO
CUSTOMER, FROM ALL CAUSES OF ACTION AND ALL THEORIES
OF LIABILITY, WILL BE LIMITED TO AND WILL NOT EXCEED THE
PURCHASE PRICE OF THE PRODUCT PAID BY CUSTOMER.
TERMS OF USE
All users of SecurityMetrics PANscan agree to follow the Terms of Use. If you do
not agree to abide by the Terms of Use, do not use the SecurityMetrics PANscan.
By using the SOFTWARE, the User is executing this Agreement and representing
that they have read, understand, and agree to all legal disclaimers.
PERMISSION TO SCAN
Users are strictly forbidden to use SecurityMetrics PANscan to perform security
tests on computers, servers, or devices, which they do not have permission or
authorization to test. SecurityMetrics, Inc. provides services for end-users, web
administrators, network administrators, and executives to perform security tests on
computers for which they have permission and/or authorization on which to perform
security tests.
DATA SECURITY AND CONFIDENTIALITY
Payment card data displayed and reported by PANscan is truncated in compliance
with PCI DSS. PANscan does not transmit payment card data.
Use of this product allows SecurityMetrics to collect data summary results
for research analysis and to report general trends of aggregate industry data.
SecurityMetrics will not report specific customer data to anyone without the
approval of the user.
PRIVACY
SecurityMetrics and Customer agree to the terms of the Privacy Policy ( https://
https://securitymetrics.com/privacypolicy.adp) posted on the SecurityMetrics.com
website with respect to the use and protection of Customer's data.
REVERSE ENGINEERING
Users are strictly forbidden from copying, reverse engineering, decompiling, or
disassembling the SOFTWARE.
COPYING PROHIBITED
Any reproduction or redistribution of the SOFTWARE, except for backup and
recovery needs, is expressly prohibited by law, and may result in severe civil and
criminal penalties. Violators will be prosecuted to the maximum extent possible.
WITHOUT LIMITING THE FOREGOING, COPYING OR REPRODUCTION
OF THE SOFTWARE TO ANY OTHER LOCATION FOR FURTHER
REPRODUCTION OR REDISTRIBUTION IS EXPRESSLY PROHIBITED
EXCEPT AS REQUIRED FOR BACKUP AND RESTORATION NEEDS.
COPYRIGHT
All title and copyrights in and to the SOFTWARE and any copies of the
SOFTWARE are owned by SecurityMetrics. The SOFTWARE is protected by
copyright laws and international treaty provisions. You must treat the SOFTWARE
like any other copyrighted material with the exception that you may copy the
SOFTWARE solely for backup or archival purposes.
If you experience difficulties while using this product then please email our support
staff.
The Terms of Use located at the following link apply to all products and services
provided by SecurityMetrics, Inc.
SecurityMetrics website https://securitymetrics.com/index.adp
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques
presented in this publication. However, SecurityMetrics® accepts no responsibility,
and offers no warranty whether expressed or implied, for the accuracy of this
publication.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, recording, or
otherwise, without the express written permission of SecurityMetrics.
The information in this document is subject to change without notice.
SecurityMetrics makes no warranty of any kind in regard to the contents of this
document, including, but not limited to, any implied warranties of merchantability
quality or fitness for any particular purpose. SecurityMetrics shall not be liable for
errors contained in it or for incidental or consequential damages concerning the
furnishing, performance or use of this document.
Executive Summary
When a merchant has credit card information accessible to view, handle, or store
online, the PCI requires that the merchant "Run internal and external network
vulnerability scans at least quarterly and after any significant change in the network
(such as new system component installations, changes in network topology, firewall
rule modifications, product upgrades)." (PCI DSS requirement 11.2, ver. 2.0).
SecurityMetrics® provides high quality PCI security products and services to help
organizations protect their businesses and validate their security compliance.
The ability to quickly detect if cardholder data is being stored on workstations
or servers in violation of the PCI DSS standards is available to any merchant,
whether or not they utilize SecurityMetrics' Site Certification Services. Enrolled
SecurityMetrics customers receive additional services including no-cost telephone
or email support, and automatic reporting to their acquirer.
SecurityMetrics | Introduction | 9
If no violations are detected, merchants have peace of mind knowing their systems
are functioning securely. If violations are uncovered, merchants can accelerate their
transition to secure payment applications approved under the Payment Application
Data Security Standard (PA-DSS).
PANscan simplifies the testing process by enabling non-technical merchants to
quickly find prohibited credit card data on their systems.
Audience Definition
Both existing and new SecurityMetrics customers can use PANscan.
PANscan Product Overview
PANscan is a free-to-download software product that detects credit card data stored
on computer systems in violation of the Payment Card Industry Data Security
Standard (PCI DSS).
PANscan
•
•
•
•
•
Searches your system for cardholder data, including Track 1, Track 2 and
Primary Account Number (PAN) data that may be stored on your computer
systems in violation of PCI requirements. Searches include archive files such
as .zip and .gz files where backup information is often stored.
Triple-checks all threats to ensure they are valid, utilizing technology developed
to facilitate SecurityMetrics' forensics investigations. This virtually eliminates
the false positives common with other scanning products and the associated time
required to research and resolve these errors.
Runs 10 times faster than a normal disk scan, while also minimizing resource
use to prevent system slowdown.
Reports summary results immediately in a popup window when the scan is
completed, indicating whether or not the system contains prohibited card data.
Allows scans to be performed as frequently as desired on any number of
merchant machines, including local hard drives, optical drives and network
servers.
PANscan is a valuable tool to help merchants, banks, and card brands eliminate
unencrypted payment card data from computer systems. Data from your scans helps
in this important effort. Payment card data is never transmitted over the Internet and
data transmitted for research purposes preserves user anonymity. For details, refer to
the Terms of Use.
Thanks for choosing PANscan.
Chapter
2
Interface Components
Topics:
•
•
•
•
•
Register
Scan
Results
Settings
Help
The SecurityMetrics® PANscan application includes
five distinct interface elements.
•
•
•
•
•
Register
Scan
Results
Settings
Help
12 | SecurityMetrics | Interface Components
Register
If you are a registered SecurityMetrics® customer, enter your account email address
and password.
If you are not registered, access the SecurityMetrics website to initiate the
registration process.
Scan
PANscan locates and identifies credit card data.
SecurityMetrics | Interface Components | 13
Results
The Results tab is patterned after a standard Windows Explorer view and includes
the following scan details
•
•
•
Mag stripe track data
Credit cards found
Access denied
The Path view includes the following scan details
•
•
•
•
Path
Count—number of cards found in a particular file
False Positive
Time—the file was scanned
The Card Type view of the Results tab includes the following scan details
•
•
•
•
•
•
Card Type
Credit Card (masked)
Offset
Track Type
Content
Character Type
When a scan has completed, the Results Options menu includes the following
options
•
•
•
Open
Text report
Clear
Settings
The Settings tab contains include/exclude options for the scan. The Settings tab
interface includes the following elements.
•
•
•
Scan Locations—defaults include hard drive(s) and network drive(s)
Files Excluded—image files and executable files are excluded by default
Defaults button—sets the default drives to scan
Note: Settings are always reset to
default on startup.
•
Results Directory—allows you to select the directory in which to save the scan
files
Help
The Help tab includes links to the following documentation
•
•
About PANscan
PANscan Help
SecurityMetrics | Interface Components | 15
•
•
PANscan QuickStart Guide (PDF)
FAQ
Related help links include
•
•
SecurityMetrics Website
PCI Requirements
Chapter
3
Install PANscan
Topics:
•
•
•
•
Platform
Requirements
Operating
System, Tools
and Environment
Requirements
Run the PANscan
Download
PANscan AutoUpdate
This section explains platform requirements and
installation procedures.
Download PANscan from the SecurityMetrics website
to install the application.
18 | SecurityMetrics | Install PANscan
Platform Requirements
PANscan requires the following minimum run-time elements.
• Pentium-class Platform
• 256 MB of RAM
• 300 MB free disk space
• Internet connection
Operating System, Tools and Environment
Requirements
PANscan is supported on the following Microsoft Windows® operating systems.
• Windows 2000
• Windows XP
• Windows Vista
• Windows 7
• Windows 2008
• Select previous versions of Microsoft Windows® operating systems are
supported with a command line interface.
Run the PANscan Download
To download PANscan from the SecurityMetrics website
1. Click PANscan on the Products list.
2. In the righthand corner of the PANscan screen, click the Free Download button.
Note: You may have to "unblock"
popups to proceed with the download.
3. On the Free Download button, click Click Here to start the download.
SecurityMetrics | Install PANscan | 19
4. Click Run on the Open File dialog.
5. From the Opening PANscan .msi dialog, click Save File to launch the PANscan
Setup Wizard.
The PANscan Setup Wizard launches.
6. Follow the wizard prompts to install PANscan. Once installed, PANscan
launches automatically.
SecurityMetrics | Install PANscan | 21
Upon completing the wizard tasks, the following Register screen is displayed.
On the Register screen, enter your SecurityMetrics Account Email and Password to
complete the registration process.
PANscan AutoUpdate
Automatic PANscan updates are available from SecurityMetrics.
When there is a new version of PANscan, SecurityMetrics issues the message
shown in the following graphic.
Click Yes to update your PANscan version.
Chapter
4
Register Tab
Topics:
•
Activate Registration
Detailed scan results are available to registered
SecurityMetrics® customers.
24 | SecurityMetrics | Register Tab
Activate Registration
To activate registration, enter your account email address and password and click
Activate.
After a successful registration, a registration activation screen similar to the
following is displayed.
Chapter
5
Scan Tab
Topics:
•
•
•
•
Run a Scan
Scan in Progress
Scan Canceled
Scan Complete
A scan locates and identifies credit card data on your
system.
From the Scan tab, you can run scans, monitor scan
progress, and pause or cancel a scan.
26 | SecurityMetrics | Scan Tab
Run a Scan
Before you begin a scan, you must select what you want to scan.
To select what you want to scan
1. Click the Settings tab and select the
• Scan Location—what drives you plan to scan
• Files Excluded—what types of files you plan to exclude from the scan
2. Once you have completed your settings, click the Scan tab.
3. Click Play to start or resume the scan.
4. Click Pause to suspend the scan.
Note: You can continue to use the
computer while the scan runs.
5. Click Stop to cancel the scan.
Note: Canceling the scan removes the
results for that session.
To see scan results or to generate reports, click the Results tab.
Scan in Progress
The PANscan magnifying glass animation indicates a scan in progress. The status bar,
located in the lower, left-hand corner of the Scan screen shows a snapshot of what files are
being scanned.
SecurityMetrics | Scan Tab | 27
When paused or canceled, the scan status image changes to reflect the specific state
—either paused or canceled.
1. To see the status of the scan, click the Results tab to view details.
When the scan is complete, a message similar to the following is displayed.
2. Click Yes to send results.
3. Click No if you do not want to send the results.
Scan Canceled
One of the options for managing a scan is to cancel it. A canceled scan is an incomplete
scan.
To cancel a scan
1. Click the Stop button.
Upon cancellation, the application provides the following feedback.
2. Click Play to start a new scan.
Scan Complete
Once the scan finishes, a message similar to the following is displayed.
SecurityMetrics | Scan Tab | 29
If PANscan does not find any credit card data, the message reads as follows.
PANscan found no credit card data. We recommend that you
rescan monthly.
1. Click the Results tab to see scan details.
If you are a registered SecurityMetrics customer, you will see full scan details.
Scan Summary information includes
•
•
•
•
•
•
Mag stripe track data found
Credit cards found
Files containing credit cards
Data scanned
Elapsed time
Scan completed
If you are not yet a SecurityMetrics customer, your view is limited to the Scan
Summary data.
To register as a SecurityMetrics customer, go to the SecurityMetrics website https://
securitymetrics.com/index.adp and click Register.
Chapter
6
Results Tab
Topics:
•
•
•
Monitor Detailed Scan
Results
Manage Scan Details
Reconcile Scan
Results
After you review your Scan Summary (on the Scan
tab), click the Results tab to view the scan details.
32 | SecurityMetrics | Results Tab
Monitor Detailed Scan Results
The Results tab resembles a Windows Explorer window with an expandable tree
view, a path view that includes the full path to files, and a card type view that
includes detailed credit card data.
The Tree view allows you to navigate all aspects of your scan results, including
•
•
•
Mag stripe track data
Credit cards found
Access denied
The Mag stripe track data folder contains magnetic stripe track data that has been
located on your network.
Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is
to “protect stored cardholder data.”
Cardholder data refers to any information contained on a customer’s credit card.
The data is printed on either side of the card and is contained in digital format on the
magnetic stripe embedded in the backside of the card.
PANscan can help you remediate rogue card holder data that may be stored on your
network, in violation of PCI Requirement 3.
Double-click to expand the folders.
Within the Credit cards found folder, you can identify where, on your system,
rogue credit card data might be stored.
The following screen capture shows a fully populated path and card type view.
SecurityMetrics | Results Tab | 33
The Access denied folder contains files that could not be opened for scanning. Files
that are opened by another application are not available for scanning. Some system
files are also listed under Access denied.
When running PANscan it is advisable to close all applications and run it as an
administrator.
Click the minus sign (-) to collapse the tree view.
The Path view includes a right-click menu that allows you to open a folder, locate a
folder or mark specific folders or files as False Positive.
The Card Type view includes information confirming the card type of a card data
string highlighted in the Path view.
Manage Scan Details
Once the scan is complete, you can manage your scan details using the right-click menu,
available in the Path view.
The available options include those listed in the following screen capture.
1. Select the file you want to view in the Path view.
You can now view the card type, and masked credit card number, offset, and
track type in the Card Type view.
2. Right-click the file in the Path view and select Open Folder.
PANscan opens the folder containing the selected file on your system.
3. Double-click the folder in the tree view to open the specific file.
SecurityMetrics | Results Tab | 35
Note: PANscan uses many checks to
detect credit card numbers. However,
some data patterns match credit data.
A match that is not credit card data is
called a “false positive.” False positives
are the erroneous identification of a
threat or dangerous condition that turns
out to be harmless. False positives often
occur in intrusion detection systems.
4. After reviewing the selected files, mark files containing false positive data.
These files will be excluded from subsequent scans. They also remain persistent,
even if scan results are cleared.
5. Unmark false positives.
Note: You can change (unmark) any
false positives that you determine do
indeed contain credit card data at your
next scan.
Reconcile Scan Results
Determining whether the numbers that PANscan discovers are real credit card data is a
process of elimination and may take some time. Here are some reconciliation strategies.
Many programs have 15/16 digit numbers in their files. Some may pass all of the
PANscan tests for credit card numbers. Your objective should always be a passing
scan.
Either the results are accurate or they are false positive. It is your responsibility
to make the determination. False positives can be excluded from future scans by
marking the containing file as false positive [Add internal link to "Mark as False
Positive" task here...]. You mark the entire file as false positive.
Note: Track data is almost never a false
postive.
1. Check paths—From the Path view, select an item in the list.
a) Right-click and select Locate Folder to see where the folder is located on
your system. Analyze the folder path to determine viability.
b) Break report into smaller sections—For example, select a single folder to
analyze.
c) Check directories—Choose a specific directory and spot check folder
contents for possible False Positives.
d) Check file types—Within folders, double-check file types to make certain
they contain viable data.
2. Check file contents—Using the Right-click menu, select Open Folder to see
where the file is located on your system. Analyze the files contained in this view
to determine whether to mark the files as False Positive.
a) Right-click and select Open Folder.
b) Search for BIN—The Bank Identification Number is the first six digits of
a credit card number. These numbers identify the institution that issued the
card to the card holder.
c) Analyze context—Evaluating where potential False Positives reside is key to
eliminating card holder data from your system.
3. Get outside help—If you are not technically skilled, either hire a contract IT
person or contact SecurityMetrics customer support.
a) Hire a contractor—An IT contractor would conduct network system audits,
collaborate with developers and operations team on security reviews, utilize
knowledge of network security scanning tools.
b) Contact SecurityMetrics Support—Our goal at SecurityMetrics is to provide
an easy and effective communication channel with our technical support
team. If you are experiencing difficulties, see the support page on our
website https://securitymetrics.com/support.adp.
Chapter
7
Settings Tab
Topics:
•
•
Scan Locations
Files Excluded
PANscan allows you to customize your scan, using the
following settings.
38 | SecurityMetrics | Settings Tab
Scan Locations
Using PANscan you can either include in or exclude files from different system locations.
Note: Settings are not saved.
The following screen capture shows an example of the file locations you can
choose to either include in or exclude from your scans.
In the Scan Locations box, check the appropriate boxes to set up what you plan
to scan. The default settings are hard drive and/or network drive.
Files Excluded
It is unlikely that you would find credit card data in files such as image or
executable file types.
1. Choose to include/exclude file types as shown in the following screen capture.
SecurityMetrics | Settings Tab | 39
2. In the Files Excluded box, identify the types of files you want to include/
exclude by checking the appropriate box. The defaults include image files such
as .bmp, .jpg, .png and executable files such as .exe, .dll, .sys.
Setting results will affect the length of time required for your scans.
40 | SecurityMetrics | Settings Tab
Chapter
8
Help Tab
Topics:
•
Getting Help
The Help tab provides access to a number of important
internal and external resources.
42 | SecurityMetrics | Help Tab
Getting Help
The Help tab includes links to the following SecurityMetrics resources.
•
•
•
•
About PANscan on page 42
PANscan QuickStart Guide
Frequently Asked Questions on page 47
SecurityMetrics website https://securitymetrics.com/index.adp
In addition to SecurityMetrics documentation, you can access external PCI
resources by clicking the following link.
•
PCI Requirements https://www.pcisecuritystandards.org/security_standards/
pci_dss.shtml
About PANscan
PANscan Version 1.0
PANscan 2011. All rights reserved. (Licensing Information). PANscan and the
PANscan logos are trademarks of SecurityMetrics, Inc. All rights reserved.
PANscan requires at minimum
•
Pentium-class Platform
PANscan is supported on the following operating systems.
•
•
•
•
•
Windows 2000
Windows XP
Windows Vista
Windows 7
Windows 2008
Chapter
9
Uninstall PANscan
Topics:
•
Remove PANscan
Warning: The following procedure will remove
PANscan from your system. Ensure that all valuable
data is saved to another location prior to performing this
procedure.
Note: Make sure that
you close PANscan and
any Help windows before
uninstalling.
44 | SecurityMetrics | Uninstall PANscan
Remove PANscan
From the Start menu
1. Open the SecurityMetrics® node.
2. Click Uninstall PANscan and follow the prompts.
Chapter
10
Send Feedback
Your feedback and suggestions help us to better serve
you, our valued customer. We want to hear from you!
Send feedback and comments about PANscan to
[email protected].
If you want us to contact you directly, include your
contact information. We will make every attempt to
help you resolve your questions or issues.
SecurityMetrics
462 East 800 North
Orem, Utah 84097
(801) 705-5700
www.securitymetrics.com
46 | SecurityMetrics | Send Feedback
Chapter
11
Frequently Asked Questions
Topics:
•
PANscan Frequently
Asked Questions
Welcome to the PANscan Frequently Asked Questions
(FAQ).
48 | SecurityMetrics | Frequently Asked Questions
PANscan™ Frequently Asked Questions
Q. Should I shut down other applications when I run PANscan?
A. No. PANscan is optimized to discover credit card data using minimal system
resources.
Q. How long will it take to run my scan?
A. This is dependent upon how much data you are scanning and available
system resources. You can estimate about 1 minute per gigabyte.
Q. What does PAN stand for?
A. PAN (Primary Account Number) is the card number that identifies the
organization that issued the card, the Card Scheme and the card holder; also
called Account Number. PAN is equivalent to credit card number.
Q. Why do I need to run PANscan?
A. PANscan helps you avoid data compromise by identifying data leaks caused
by non-compliant or improperly configured payment applications or improper
handling and storage of credit card data.
Q. The results tab shows me a lot of files, but I know that those files don’t
contain credit card information. What’s going on?
A. PANscan uses many checks to detect credit card numbers. However, some
data patterns match credit data. A match that is not a credit card number is called
a “false positive.” You can mark files as containing false positives. These files
will be skipped in subsequent scans.
Q. I ran PANscan, but I can’t see any results. Why?
A. PANscan displays credit card data found. You may have a clean system that
has no rogue credit card data.
Q. How do I send my scan results to my merchant processor?
A. PANscan reports summary results to SecurityMetrics.
Q. Does PANscan work across a firewall?
A. PANscan requires a connection to the Internet for licensing information,
program updates, and reporting. If you can access the Internet using Internet
Explorer, you should be able to run PANscan.
Q. How do I access my scan results?
A. Once the scan is complete, click the Results tab to view your scan details.
Q. How often should I run PANscan?
A. We recommend you run PANscan monthly.
Q. How much does PANscan cost?
A. PANscan is free to registered SecurityMetrics customers.
Q. Can I scan one specific file or one specific directory?
A. No. PANscan only runs “complete scans.”
Q. Does PANscan skip some files automatically?
A. PANscan skips image, audio and video formats as well as Windows Program
Files.
SecurityMetrics | Frequently Asked Questions | 49
Q. What specific file types does PANscan exclude?
A. Image/video extensions include:
*.gif,*.jpg,*.jpeg,*.jpe,*.dib,*.bmp,
*.tif,*.tiff,*.png,*.pdc,*.pcx,*.ttf,
*.fon,*.ico,*.cur,*.wav,*.mp3,*.mp4,
*.mov,*.avi*.wmv,*.asx,*.m3v,*.wpl,
*.wvx,*.wmx,*.dvr,*.dvr-ms,*.mid,*.rmi,
*.midi,*.mpeg,*.mpg,*.mp2,*.mpa,*.snd,
*.au,*.aif,*.asf,*.wm,*.wma,*.wmv,
*.avi,*.wmv,*.psd,*.ttc
Executable extensions include:
*.exe,*.dll,*.sys,*.com,*.ocx,*.cpl,
*.drv,*.scr,*.msi,*.obj,*.cab,*.jar
Q. Why does PANscan display files that cannot be opened for scanning? Isn’t it
a given that all the files listed in 'Access Denied' are system files?
A. PANscan lists files that it did not scan in the Access Denied folder for
completeness. You are responsible for files that PANscan does not scan. You
will want to review the list to make sure that critical files were scanned. For
example, a file containing credit card data might be open by another application
and therefore PANscan cannot open to scan. Also, the current user may not have
sufficient rights to access the file.
Q. Can PANscan detect credit card numbers in scanned documents?
A. No, PANscan cannot detect images of scanned card data. For example,
PANscan will not detect the number from a picture of a credit card.
Q. My bank told me that I needed to run PANscan once a year as part of my PCI
compliance requirement. Is it a bank mandate that merchants run PANscan?
A. Eliminating card data greatly reduces the liability of the merchant and
the bank. Some banks are requiring their merchants to run PANscan. For
clarification, PCI compliance does not currently require disk scans using card
discovery tools like PANscan. However, PCI does require the merchant to attest
that they do not store unencrypted card data. PANscan gives merchants the
accuracy to be confident in their response.
Q. PANscan detects credit card data in email message, but there are no numbers
in the message itself. What’s going on?
A. The email header could have strings of digits that match card format. Most
mail readers do not show header information by default but you can usually view
header information. This sounds like a false positive. Additionally, the email is
stored (archived) with any attachments. PANscan simply scans the archive files
—including any embedded files.
Q. Do image files [JPGs] contain credit card data?
A. Image files such as JPGs have a lot of 15- and 16-digit numbers in them.
PANscan excludes them by default.
Q. What are the penalties for “failing” a scan?
A. There are currently no PCI penalties based on PANscan results. However, if
you have unencrypted card data you are not PCI compliant and therefore subject
to PCI penalties. Banks can assess penalties based on PANscan results.
50 | SecurityMetrics | Frequently Asked Questions
Q. Is my data sent to the bank every time I run a scan? Does the information
determined to be false positive get interpreted as real credit card data by the
bank? If so, what happens then?
A. PANscan sends summary data to SecurityMetrics. Banks access the PANscan
data through a SecurityMetrics console. Banks can only view results from the
most recent scan. This includes 1) has credit card data and 2) has track data.
Q. Why does PANscan show a card type—Visa, MasterCard—even though the
entry is a false positive?
A. The first few digits in a credit card number identify the card type. 45-46 are
Visa 56 are Mastercard 37 is AmericanExpress etc. Even a false-positive will
have matching digits. PANscan is showing the card type based on these values.
Q. I am using Windows7/Vista and have deleted files containing credit card
data. These files have been deleted but they are not deleted from Trash. The
filenames have been changed and they continue to appear in the PANscan
Results tab. Why aren't these files deleted permanently?
A. When a file is deleted through the Windows UI (Windows Explorer), the
file is not really deleted from the system. Instead, it is placed in the recycle
bin (represented by the trash can. Files in the recycle bin can be restored to the
place where the previously existed. To permently delete the file you also need
to empty the recycle bin. Simply deleting the file and emptying the trash does
not 'forensically' remove the content from the system. While the file entry is
gone, its contents are still on the disk. The space is marked as available and
will eventually be re-used, but it is possible to access this information with
specialized 'forensic' programs. To forensically clean the content off from the
system a 'forensic' eraser program must also be used. A forensic eraser writes
over (many times) the unused portions of the disk--wiping the prior content from
the system.
Q. When I scan this data:
4009999999000009 Visa
4009992525252525 Visa
4010000000000018 Visa
4010004040404008 Visa
4194575757570006 Visa
6011373737373006 Discover
5515555550000004 MasterCard
5587676767600007 MasterCard
All of these numbers are detected as credit card data and appear on the Results
tab.
A. PANscan turns off the repeated pattern checking in a file once it finds what
appears to be a real credit card.
Chapter
12
Glossary
Topics:
•
SecurityMetrics®
Glossary List
This brief glossary is a subset of the full PCI (Payment
Card Industry) glossary.
For additional information or more indepth
definitions, see the PCI glossary, available at https://
www.pcisecuritystandards.org/security_standards/
glossary.shtml
52 | SecurityMetrics | Glossary
SecurityMetrics® Glossary List
This brief glossary includes definitions, abbreviations and acronyms directly associated
with SecurityMetrics.
Account Number
See also PAN (Primary Account Number).
Acquirer
An acquiring bank (or acquirer) is the bank or financial institution that accepts
credit or debit card payments for products or services on behalf of a merchant.
ASV
Approved Scanning Vendor. ASVs are organizations that validate adherence to
certain DSS requirements by performing vulnerability scans of Internet facing
environments of merchants and service providers.
BIN (Bank Identification Number)
All credit card numbers contain a 6 digit prefix, the prefix is the sequence of digits
at the beginning of the number that determine the credit card network to which the
number belongs. The first 6 digits of the credit card number are known as the Bank
Identification Number (BIN). These identify the institution that issued the card to
the card holder. The rest of the number is allocated by the issuer.
Cardholder Data
Contents of the full magnetic stripe or the PAN plus any of the following:
•
•
•
Cardholder name
Expiration date
Service Code
False Positive
A false positive is a number that PANscan identifies as a credit card number when
in fact, it is not. False positives often occur in intrusion detection systems.
See also False Negative.
False Negative
The erroneous identification of a benign condition that turns out to be harmful.
Contrast with false positive.
See also False Positive.
SecurityMetrics | Glossary | 53
Magnetic Stripe Data
Data encoded in the magnetic stripe used for authorization during a card present
transaction. Entities may not retain full magnetic stripe data subsequent to
transaction authorization. Specifically, subsequent to authorization, service codes,
discretionary data/CVV, and Visa reserved values must be purged; however,
account number, expiration date, and name may be extracted and retained.
Masking
Method of concealing a segment of data when displayed. Masking is used when
there is no business requirement to view the entire PAN.
PAN
PAN (Primary Account Number) is the card number that identifies the organization
that issued the card, the Card Scheme and the card holder. Also called Account
Number. PAN is equivalent to credit card number.
Point of Sale
POS is the location where a business transaction occurs. A POS terminal is a device
by which sales transactions can be directly debited to the customer's bank account.
Qualified Incident Response Assessor
A special investigator with the Payment Card Industry who has PCI knowledge and
forensic examination skills.
Track Data
See also Magnetic Stripe Data--Data encoded in the magnetic stripe used for
authorization during a credit card transaction.
Truncation
Method of rendering the full PAN unreadable by permanently removing a segment
of PAN data.
54 | SecurityMetrics | Glossary

PANscan - SecurityMetrics

Transcription

Similar documents

BioScanner Flyer 6.qxd

The Most Advanced Electronic Highlighter The IRISPen™ Executive

Guide to scanning in eClinical Works

TASKalfa 4820w - KYOCERA Document Solutions America

This Manual is provided FREE OF CHARGE from CBTricks.com

LAH IMG Order Form - ORTHO - CFO

TASKalfa 2420w - KYOCERA Document Solutions America

experience in riccione

Turning the - Incriminator Audio

Security Tools: Superscan 3 Superscan is a program that scans a