Common FAQs for ControlCase’s CDD Enterprise Software
What file types do you handle?
We handle most common file types including Microsoft Office documents etc. Here is a recent list of file extensions we scan for by default: txt, doc, docx, csv, xls, xlsx, rtf, tsv, bak, bck, bk, bkp, err, log, text, temp, tmp, xml, arc, trc, log, cfg, lck, lok, enr, out, in, sql, msb, dat, ds, is, msg, xsd, plb, nlb, dcr, dcn, aud, htm, rdf, odt, dbf, idx, cdx, bkd, bkl, lst, crd, tmp, 01300, bit, rpt, old, f05, trn, pdf, mdb, one, accdb, mht, zip.
With Enterprise CDD, you can add your own file types/extensions to be scanned.
How do you handle false positives?
We have spent multiple years and a significant amount of effort working on reducing false positives from our product results, and with every new release we keep improving this algorithm.
We run multiple filtering passes through the identified data to reduce the number of false positives discovered. Some common and obvious checks are regular expression matching and LUHN/Mod 10 checks, BIN range checks etc. In addition, we have developed some very sophisticated and proprietary algorithms to perform further checks. We also use our experience gained by scanning petabytes of real-world data globally for our various customers through our Card Data Discovery service to keep improving our false positive algorithm. (Most other product companies do not have such real-world experience nor do they have such a high degree of false positive management).
However, sometimes the numbers that we find (despite being valid card numbers) are not really card numbers. Such information can only be gleaned by a human using the context (file or database) in which the number was discovered.
In addition to the false positive management we built into our product, you can also improve the management by including and excluding card brands, files and directories using wildcard patterns etc. Our enterprise CDD software has a high degree and multiple passes of false positive management. We work with our customers to filter out false positives once they provide us the context that is specific to their environment.
Do you look for files in the recycle bin in Windows?
Yes, we do.
Will you slow down my systems when you scan?
We do NOT slow down computers or networks when we scan. In fact we pride ourselves in the very low usage of resources and have been praised by customers who talked to us after trying other products.
What kind of credit card data do you find?
We use a sophisticated algorithm, refined over multiple years, to discover all credit and debit card data stored in various files that is within the scope of PCI DSS. Of course it includes LUHN checks, BIN checks, length checks.
What card brands do you support?
The card brands under PCI DSS scope that we support are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. In addition to the above card brands user can add his own card brands.
What operating systems are supported?
We can scan most Windows operating systems (Windows 7, 8, 10, 2000, 2003, 2008, 2012, 2016), and most Unix/Linux, Solaris, AIX, Apple Mac OS, HP UX, FreeBSD based systems can be searched using CDD.
What databases do you support?
We support most recent versions of Oracle, Microsoft SQL Server, MySQL, Sybase, DB2, Informix, MongoDB, Cassandra and PostgreSQL.
Can you search for card data in databases and tell me what column and table has the card data?
Yes, we can search through Oracle, Microsoft SQL Server, Sybase, MySQL, Informix, DB2, MongoDB, Cassandra and PostgreSQL databases in your enterprise, all from one location.
We don’t just scan the database files on the disk like other products, we actually scan the data in the database tables and columns and will precisely pin point the location of the data in the database/table and column down to the actual row.
Can I exclude certain files and directories from being searched?
Yes, you can exclude files or directories based on wildcards, e.g., you can exclude *.tmp files or all files in directories such as temp.*
Can I exclude certain databases, tables or even columns from being searched?
Yes, you can exclude databases, tables or columns based on wildcards, e.g., you can exclude *temp* tables.
Do you search for PAN, TRACK 1 and TRACK 2, CVV, PIN data?
Yes – we search for all these data types that fall under PCI scope. Most products only look for the card numbers, which isn’t sufficient for PCI DSS compliance.
You have a great distributed search platform here – can I use it to search for my own regular expression?
Yes, you can enter your own RegEx and we will search for data based on that RegEx. If you don’t feel up to it, we can write the regular expression for you.
What kind of reporting is available?
Reports are available per scan and include file system scan reports that include, file locations, names, network locations, masked card numbers, type of card, whether it is a PAN, CVV etc. Database reports include information about the server, database name, table and column name instead of the file location. This data can be extracted into CSV and Excel and can be used for further analysis.
We also provide PDF reports and executive summary reports that can be provided to your QSA or auditor.
Can I run these scans across my enterprise on a schedule?
Yes – you can set the scan up once and then run it on a schedule. This will ensure that you are continually in compliance with PCI DSS. Scans can be run weekly, quarterly, semi annually and yearly with a lot of flexibility.
We use an Active Directory domain – Can you search all computers in the domain?
Yes, we can. And that too from one place.
No need to install agents on each machine. No need to maintain these agents.
We search through your entire enterprise from one location without taxing any CPU or network resources on the scanned machines.
Are you going to bring down my network or not let people work on their workstations due to the intensity of your scanning?
Our scanning is highly non-obtrusive and we do not tax computing resources to accomplish our tasks. We invite our customers to try out the performance of the software and let it speak for itself.
Can I exclude files specific to my environment as false positives?
Yes, you can exclude files that you verify as false positives to show up for subsequent scans.
Do you use credit card BIN ranges or tables to further reduce false positives?
Yes, we use the BIN ranges from various brands and issuers to further reduce false positives.
Can I use this software to find other types of sensitive data – such as Social Security Numbers (SSN) or HIPAA related information?
Yes, you can look for some common sensitive information such as US Social Security Numbers (SSNs), HIPAA information such as ICD9 and CPT codes, certain drivers license numbers, ZIP codes, bank routing numbers, UK National Insurance numbers, email addresses etc. If we don’t support the data that you are looking for, we have the ability to search for data that matches any regular expression and we can help you write that expression and search for data using that expression. However, due to the nature of the data, the false positive rate for such numbers that cannot be validated is higher.
Can I exclude certain test cards or BIN ranges or tokenized cards from the search?
Yes, you can do all of that.
Do you scan email mailboxes and email servers?
Yes, we scan Microsoft Exchange (2010 and 2013), Office 365 and Lotus Notes and also Outlook email mailboxes on each workstation, including email attachments. We also can scan IMAP based email servers.
Can CDD scan Lotus Notes?
Yes, we scan Lotus Notes emails and databases.
Our current QSA is stating that using a credit card finding tool brings that system, plus the network it is on, into PCI Scope. How does your tool locate credit cards in our environment and not increase PCI scope? Since this tool will be specifying the location where the card was discovered, that information, even without presenting the entire PAN, will become a prime target for an individual that wants to steal credit cards. Also, what is your pricing model?
We do not store credit card data that we discover as is – we mask the digits when we store or report the findings. Hence, we do not increase the PCI scope at all. We don’t store the card data so there is no question of stealing anything from our scanner.
Please contact us for pricing.
Do you support SAN or NAS type storage?
Since there are many types of storage, generally speaking, we support any storage that provides itself as a CIFS or native OS based file system in Windows or Linux platforms. However, we have not tested every type of hardware manufacturer’s products and their implementation of CIFS protocols.
Can CDD scan Sharepoint?
Yes, we scan Sharepoint both by scanning the web-based user interface and the backend databases.
Can CDD look for custom words and word lists?
Yes, we can look for sensitives or code words and custom word lists.
Can CDD search scanned images and pictures?
Yes, we we use Optical Character Recognition (OCR) to search for scanned images.
Can CDD scan mainframes?
While we cannot directly scan mainframe systems, we can however scan EBCDIC based files that can be exported from mainframes.
Can CDD install on Linux?
No, the CDD server or scanner can install only on Windows, BUT we can scan Linux servers and machines (among other operating systems).
Do I have to install CDD on every server that needs to be scanned?
No, not at all. You install CDD on one server and that is all. You do not have to install CDD everywhere. This is a huge time saver when it comes to maintenance of our product. It is also a huge benefit of CDD in comparison to other products.