What is the product being released to market?

Card Recon is a Software Application that scans the file system of a Desktop or Server for the existence of payment card numbers issued by major payment card schemes.

Upon completion of a scan Card Recon generates a report outlining any findings categorized by card type and file location. The user is also provided with work flow to inspect the offending files and if suitable remove the findings using secure file shredding technology embedded within Card Recon.

Additional details of the product including screen shots can be viewed at:
http://www.groundlabs.com/products/crse

What problem is being solved by releasing this product?

Payment Card data leakage is an increasingly difficult problem that affects cardholders and financial institutions globally. The problem originates from merchants or their service providers who process credit card payments via computer based systems that subsequently store the card information without adequate security or protection.

Often the payment card information is being stored without the customers permission or knowledge. It is also common for organizations to have no clear understanding of where customer payment card data is being stored within their systems, or if encryption is being used to protect the data.

Card Recon testers to date have reported that payment card numbers are most often found in the following locations:

• Payment server log files
• Staff documents (Spreadsheets, Word documents)
• Email data files (Inbox and Sent Items . common in financial institutions and call centers)
• Application Databases (Flat files, Text Files)
• Browser History and File Cache

Card Recon was designed to make the process of identifying unprotected (unencrypted) payment card information simple and straight forward. By using Card Recon to scan all systems that may be used to handle payment card information, an organization can build a level of confidence in knowing unencrypted payment card information is not in existence. The organization may also produce a report of this status for use in any security compliance audit that may take place.

What is the target market for this application?

Card Recon provides the most benefits for the following parties:

1. Merchants - Who need to comply with PCI DSS
2. Payment Service Providers - Who need to comply with PCI DSS
3. Financial Institutions (acquirers) - Are responsible for ensuring merchants become compliant to PCI DSS
4. PCI DSS QSA's - The certified entities who perform on site reviews of larger merchants and issue certificates of PCI compliance.

Are there any recent events where payment card data has been exposed due to insecure handling by a merchant or payment service provider?

Yes. Every year thousands of system compromises occur resulting in customer payment card information being stolen. Many of these events affect only a small base of card holders and will therefore go unreported in the public domain. However when larger entities are compromised the impact is global with payment card issuers canceling and re-issuing large volumes of cards to affected customers. The most noted payment card data compromises in recent times are:

2005 - Card Systems - US Service Provider - Up to 40 million payment cards stolen.
2007 - TJX Companies - US Retail Group - 45+ million payment cards stolen.
2008 - Heartland Payment Systems - US Service Provider - Potentially more than 100 million payment cards stolen.

These events have substantial press coverage should further information be required.

Do standards exist to enforce merchants protecting their customers payment data?

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that stores, transmits or processes payment card information. It is a standard that is enforced by the major card schemes and outlines the minimum security controls that must be in place when handling payment card information.

In particular, the PCI DSS prohibits payment card numbers being stored without adequate protection or justification.

Card Recon assists merchants in complying with at least 3 different areas of the PCI DSS.

More information on the PCI DSS can be found at:
www.pcisecuritystandards.org

What is the motivation for an organization to invest in a product such as Card Recon to assist with PCI DSS compliance?

In the event of compromise, a non-compliant merchant is liable for up to $500,000 per incident in fines.

Any non-compliant merchant will also face the risk of having their merchant facility withdrawn by their sponsoring bank if no path to compliance can be shown within an accepted time frame.

Using recent events as a guide, entities who are compromised become exposed to civil liability from affected financial institutions to cover the costs associated with re-issuance of customer cards.

Is Card Recon the only product a merchant will need to achieve PCI DSS Compliance?

No. The PCI DSS is a detailed standard covering 12 key areas.

Ground Labs has chosen to target a specific area of PCI DSS compliance that most merchants encounter issues with. From our experience and based upon feedback from industry sources, a large number of merchants and service providers who handle payment card information are storing payment cards without protection on both mission critical servers, and across employee desktops within emails and user documents.

We have not encountered any other vendors to date that have invested the same level of effort and focus into solving this specific issue for organizations needing to comply with the PCI DSS.

Are there any other standards where Card Recon can be used for?

Yes. The Payment Card Industry also has a standard for payment application vendors labeled PA-DSS (Payment Application Data Security Standard).

Card Recon can be used by vendors who are verifying their application with the PA DSS to show evidence of no unencrypted payment card storage occuring from the application under certification.

How does Card Recon find payment cards?

Card Recon works in a similar manner to an antivirus product using signatures to identify and report on data patterns found on a given system.

Card Recon will scan a computer file system and open each file, read through the contents and attempt to identify payment cards in a fast and efficient manner.

Card Recon uses an advanced pattern matching algorithm developed by the Ground Labs engineering team to distinguish real cards from random numbers and therefore minimize the false positive rate that is often encountered when searching for data of this type.

Card Recons accuracy has been proven to be better than 99.9% in testing to date.

What file formats can Card Recon search?

There are too many specific formats to show in list form however Card Recon will identify payment cards contained in a wide variety of file formats including Microsoft Office, Open Office, Adobe PDF, Compressed files, and various other forms of structured file formats.

In addition Card Recon identifies popular email client software including Microsoft Outlook and will search through user emails for the existence of unencrypted payment card numbers.

How has Ground Labs validated the suitability of Card Recon for the Payment Card Industry?

Over an extensive period Ground Labs conducted an industry consultation program by inviting a wide variety of security professionals and PCI QSA.s (Qualified Security Assessors) to review and comment upon Card Recon and it.s suitability when auditing against the PCI DSS.

In addition to Ground Labs own internal testing efforts, high levels of testing was conducted by industry participants and substantial feedback was received. This was incorporated into the final release being offered which to date has identified millions of payment card numbers stored accross many terabytes of information.

One of the participants in this process has written a testimonial that can be read here:
http://www.groundlabs.com/testimonial/kelvin_heath

Is Card Recon suitable for home users?

Yes, Card Recon can be used by Home Users and will provide benefits in identifying personal payment card information stored on a PC without protection. However Ground Labs has positioned Card Recon as a commercial compliance solution and as such will not be directly targeting home users as potential customers.

What are the costs to license Card Recon?

Card Recon is licensed on a per instance basis with discounts available for volume purchases.

For a full pricing please visit:
http://www.groundlabs.com/products/pricing

Is a Free Version of Card Recon available?

Yes, Card Recon Free Edition can be downloaded from:
http://www.groundlabs.com/products/getfree

The Free Edition provides the same advanced payment card matching abilities as the Standard Edition however it is available for Windows platforms only and does not include reporting capabilities. Ground Labs does not recommend it for commercial use.

What platforms are supported by Card Recon?

Card Recon Standard Edition presently supports both Windows Desktop/Server and Linux environments. A Mac version is presently in the development pipeline.

Ground Labs is also offering customized versions of Card Recon to customers who operate enterprise or legacy platforms including HP UX, Solaris, Non-Stop and similar platforms. Please contact Ground Labs directly for more information.

Is the commercial version of Card Recon available to the media for product review?

Yes, Ground Labs is offering members of the press and online media a licensed version of Card Recon for product review and media reporting purposes. Please contact us via email at media@groundlabs.com to arrange be granted access.

Note: Ground Labs will only approve applications from identifiable media representatives. Please ensure all details are provided to enable us to process your application in a quick and timely manner.