August 2022

The Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2004 and has radically improved the security of card payments worldwide. From its first iteration, PCI DSS recognized the importance of knowing where account data is in a network and how it moves within an organization and on to third parties. This is the concept of “scoping,” and is the starting point of any compliance initiative. 

You can’t protect what you don’t know.

Scoping and Data Discovery for PCI DSS 

Data discovery is the foundation of scoping for PCI DSS. Organizations needs to know where their account data is within their network. At the start of a compliance program, there are likely to be unexpected stores of data including in email systems and on end-user devices. Once an organization knows where the data is, they can establish a cardholder data environment — a secure environment for card data processing — onto which they apply PCI DSS controls, migrate card data into this environment and securely eradicate it from other locations.  

PCI DSS 4.0 introduces a requirement for merchants and service providers to validate their scope periodically — every 12 months for merchants and every 6 months for service providers.

Beyond Scoping in PCI DSS 4.0

Although data discovery is most frequently used for scoping and scope validation, it can be used to support up to 27 controls of PCI DSS 4.0 across four requirements. 

Requirement 1: Install and maintain network security controls
Data discovery validates the network boundaries of scope and demonstrates data flows are up to date.
Req. 3: Protect stored account data
Discovery scans identify account data, including SAD, wherever it is stored. Periodic scans can confirm that data has been deleted when it has passed its retention period.
Req. 6: Develop and maintain secure systems and software
Discovery scans verify that account data is not present in non-production environments.
Req. 12: Support information security with organizational policies and programs
As part of periodic scope revalidation, data discovery verifies in-scope systems and data repositories. Advanced discovery solutions offer remediation-in-place for data found in unexpected locations.

Industry-leading Data Discovery for PCI DSS from Ground Labs

Effective data discovery goes beyond scripted and RegEx searches, which are prone to false positives (and negatives) and typically exclude parts of the network or are incompatible with business systems. Advanced data discovery offerings such as Ground Labs Enterprise Recon PCI and Card Recon Server edition provide remediation-in-place capabilities to help streamline compliance efforts.

Ground Labs Enterprise Recon PCI offers enterprise data discovery tailored for PCI DSS compliance. Powered by GLASS Technology™, Enterprise Recon provides fast, accurate results identifying account data from all major card brands. 

Ground Labs Card Recon products are designed with small- and medium-sized organizations in mind. Coming in both Desktop and Server editions, Card Recon is a flexible and lightweight data discovery solution, developed specifically to support PCI DSS compliance.

About Ground Labs

Ground Labs was founded in 2007 with the purpose of helping organizations understand their data environments and support their compliance goals. With offerings for enterprise organizations as well as small- and medium-sized business, Ground Labs is a market leader in data discovery for PCI DSS, PII and sensitive data. To find out more and to request a demonstration

Want to keep up with all our blog posts? Subscribe to our newsletter!