Get it for FREE
Common FAQs for ControlCase’s CDD Enterprise Software
What file types do you handle?
We handle most common file types including Microsoft Office documents etc. Here is a recent list of file extensions we scan for by default: txt, doc, docx, csv, xls, xlsx, rtf, tsv, bak, bck, bk, bkp, err, log, text, temp, tmp, xml, arc, trc, log, cfg, lck, lok, enr, out, in, sql, msb, dat, ds, is, msg, xsd, plb, nlb, dcr, dcn, aud, htm, rdf, odt, dbf, idx, cdx, bkd, bkl, lst, crd, tmp, 01300, bit, rpt, old, f05, trn, pdf, mdb, one, accdb, mht, zip.
With Enterprise CDD, you can add your own file types/extensions to be scanned.
How do you handle false positives?
We have spent multiple years and a significant amount of effort working on reducing false positives from our product results, and with every new release we keep improving this algorithm.
We run multiple filtering passes through the identified data to reduce the number of false positives discovered. Some common and obvious checks are regular expression matching and LUHN/Mod 10 checks, BIN range checks etc. In addition, we have developed some very sophisticated and proprietary algorithms to perform further checks. We also use our experience gained by scanning petabytes of real-world data globally for our various customers through our Card Data Discovery service to keep improving our false positive algorithm. (Most other product companies do not have such real-world experience nor do they have such a high degree of false positive management).
However, sometimes the numbers that we find (despite being valid card numbers) are not really card numbers. Such information can only be gleaned by a human using the context (file or database) in which the number was discovered.
In addition to the false positive management we built into our product, you can also improve the management by including and excluding card brands, files and directories using wildcard patterns etc. Our enterprise CDD software has a high degree and multiple passes of false positive management. We work with our customers to filter out false positives once they provide us the context that is specific to their environment.
Do you look for files in the recycle bin in Windows?
Will you slow down my systems when you scan?
What kind of credit card data do you find?
What card brands do you support?
What operating systems are supported?
What databases do you support?
Can you search for card data in databases and tell me which column and table has the card data?
Yes, we can search through Oracle, Microsoft SQL Server, Sybase, MySQL, Informix, DB2, MongoDB, Cassandra and PostgreSQL databases in your enterprise, all from one location.
We don’t just scan the database files on the disk like other products, we actually scan the data in the database tables and columns and will precisely pin point the location of the data in the database/table and column down to the actual row.
Can I exclude certain files and directories from being searched?
Can I exclude certain databases, tables or even columns from being searched?
Do you search for PAN, TRACK 1 and TRACK 2, CVV, PIN data?
You have a great distributed search platform here – can I use it to search for my own regular expression?
What kind of reporting is available?
Reports are available per scan and include file locations, names, network locations, masked card numbers, type of card, whether it is a PAN, CVV etc. Database reports include information about the server, database name, table, and column name instead of the file location. This data can be extracted into CSV and Excel and can be used for further analysis.
We also provide PDF reports and executive summary reports that can be provided to your QSA or auditor.
Can I run these scans across my enterprise on a schedule?
We use an Active Directory domain – Can you search all computers in the domain?
Yes, we can. And that too from one place.
No need to install agents on each machine. No need to maintain these agents.
We search through your entire enterprise from one location without taxing any CPU or network resources on the scanned machines.
Are you going to bring down my network or not let people work on their workstations due to the intensity of your scanning?
Can I exclude files specific to my environment as false positives?
Do you use credit card BIN ranges or tables to further reduce false positives?
Can I use this software to find other types of sensitive data – such as Social Security Numbers (SSN) or HIPAA related information?
Can I exclude certain test cards or BIN ranges or tokenized cards from the search?
Do you scan email mailboxes and email servers?
Can CDD scan Lotus Notes?
Our current QSA is stating that using a credit card finding tool brings that system, plus the network it is on, into PCI Scope. How does your tool locate credit cards in our environment and not increase PCI scope? Since this tool will be specifying the location where the card was discovered, that information, even without presenting the entire PAN, will become a prime target for an individual that wants to steal credit cards. Also, what is your pricing model?
We do not store credit card data that we discover as is – we mask the digits when we store or report the findings. Hence, we do not increase the PCI scope at all. We don’t store the card data so there is no question of stealing anything from our scanner.
Please contact us for pricing.