By using HPE PANfinder to scan each of your systems for unprotected PAN data, you can ensure there are no live PANs residing in unknown locations and therefore no valuable card data available for hackers or rogue employees to steal. PANfinder also provides you with a way of proving that all PANs on your system are being stored in accordance with the Payment Card Industry Data Security Standard (PCI-DSS).
 

PANfinder Key Features

  • PAN discovery & PCI-DSS scoping tool

  • Extremely accurate - Intelligent false-positive reduction

  • Several FASTscan™ options

  • SIEM integration via Syslog

  • Agent mode option

  • Minimal CPU performance impact

  • Configurable search criteria

  • Automated searches and reports

  • Scanning of open and locked files

  • Helps meet PCI-DSS 3.2, 3.4 and 6.4.3

  • Essential for meeting PCI-DSS requirement 12.5 and 12.5.2

  • Clear, PCI compliant reports produced

Do You Need PANfinder?

Fact: all companies know the exact routes that PANs take when they're processed through their computer systems. And all companies know where PANs are stored and how they're protected, correct? And all companies are 100% confident that no card data is being leaked to other sources, right? While that is the case for the vast majority of firms, there's a small minority of well-documented companies who were totally unaware about the buried trace files that were logging readable PANs... or the contractor who had copied a chunk of live data over to their test system... or the the malicious code which was duplicating unencrypted card data over to a hidden folder... The unfortunate thing for that minority of firms was that they all thought they knew exactly where their card data was, but they were wrong. Do you need a PAN search tool? Only you can answer that question.
 

Platforms Covered

PANfinder is only available for HPE NonStop servers

 

False Positive Reduction

You can never totally eradicate false-positive results - if you did, it's highly likely you'll be excluding genuine PANs from your results as well as the false-positives you're trying to avoid. To ensure PANfinder reports are of the highest possible quality, we've done a great deal of work on building in intelligence, such as (but not limited to) Luhn algorithm (aka Luhn formula) checks on all suspected PANs, to help ensure false-positives are the exception rather than the norm. It's easy to import your own regularly updated BIN/IIN database into PANfinder, making sure even the most recently issued payment cards are searched for.
 

Test PANs

One of the many user-friendly configuration options available to PANfinder users is the ability to search specifically for known test PANs - a great way of carrying out specific data leaks tests. On the flip-side, test PANs can also be excluded from PANfinder searches, eliminating the need to manually remove known test PANs from search results.
 

Configuring HPE PANfinder

HPE PANfinder has many flexible configuration options for how and when it performs its searches for PANs. You can schedule individual PAN scans or run in agent mode, where PANfinder constantly runs in the background, just scanning files as and when they're added/edited. Specific files and folders can be included or excluded as required, plus many more configuration options designed to suit each customer's individual environment.
 

Reports and SIEM integration

Summary and Detailed reports are generated as CSVs, making storage and analysis easy. As you would expect, the content of reports conforms to PCI-DSS requirements in terms of PAN-masking.

PANfinder's Syslog output can be used for integration into Security Information and Event Management (SIEM)/enterprise audit logging solutions such as LogLogic and RSA enVision etc.

FASTscan™

HPE PANfinder has several features designed to increase the speed of its data discovery scans.

Change-detection: once an initial scan has been carried out, HPE PANfinder can be set to only look at files which have been changed/edited since its previous scan - vastly increasing overall scan speeds and reducing CPU overhead.

Summary Scan: HPE PANfinder can be configured so that once a predefined number of suspect PANs have been found in a file, HPE PANfinder will stop searching that file and move on to the next one. So rather than creating a huge list of suspect PANs, you're just creating a list of files containing suspect PAN data.

HPE PANfinder can also be configured to only search files which have previously been identified as containing suspect PAN data - ideal for checking successful removal or encryption of PAN data.

Installation

HPE PANfinder is quick and easy to install. A quick-start guide plus full product documentation is provided.

Evaluation

For a free no obligation evaluation of HPE PANfinder please click here.

HPE NonStop file formats searched

  • Enscribe Structured files (key-sequenced, entry-sequenced and more)

  • Enscribe unstructured files

  • Edit files

  • PAK files

  • All files in Guardian and OSS environments

HPE PANfinder and PCI-DSS

HPE PANfinder is an invaluable tool for any HPE NonStop user looking to achieve and maintain PCI DSS compliance. In fact we’d go as far as saying it’s impossible for a NonStop user to achieve PCI compliance without using PANfinder.

The various editions of PCI-DSS have always highlighted the importance of confirming the accuracy of your PCI-DSS scope and your defined Cardholder Data Environment (CDE).

Until recently the scoping obligations have always been included in the introduction pages to the DSS requirements in what some refer to as ‘Requirement Zero’. But with the introduction of PCI-DSS V4.0 in 2022, validating the accuracy of your PCD-DSS scope (IE carrying out payment card data discovery scans on your entire network including backup files) is now a mandated requirement.

Which PCI-DSS requirements are relevant to PANfinder and payment card data discovery?

Requirement 3: Protect stored cardholder data.

Requirement 3.4 states “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)”. How can you be 100% sure live PANs aren't being copied to logs, trace files and other unknown locations? The only viable solution is to carry out data discovery scans with a tool such as PANfinder.

PCI-DSS requirement 6.4.3 states “Production data (live PANs) are not used for testing or development.” Can you be absolutely sure there are no live PANS sitting on your test and/or development boxes?

PCI-DSS requirement 12.5: PCI DSS scope is documented and validated.

PCI-DSS requirement 12.5.2 states “…at least once every 12 months and upon significant change to the in-scope environment… …you must identify all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE 2) applications that process CHD 3) transmissions between systems and networks, and 4) file backups.” There is only one way you can confirm/validate there is no account data (aka customer payment card data) being stored outside your CDE and that’s by carrying out card data discovery scans.

PANfinder™ Business Function diagram and examples of typical PAN data locations

 
 
PR_TP_SILV_RGB_DIGITAL.png
PR_TP_SILV_NSI_TEST_RGB_DIGITAL.png
PR_TP_SILV_NSX_TEST_RGB_DIGITAL.png
PR_TP_SILV_VNS_TEST_RGB_DIGITAL.png