As a PCI QSA, (Payment Card Industry Qualified Security Assessor), any product which promises to make PCI DSS Assessments more efficient and validate findings is of interest. I evaluated Card Recon from Ground Labs and used it on a number of client engagements to determine whether it would be a useful tool for our team of QSAs.

Card Recon is very effective at finding credit card numbers. Unlike many of the free-ware products, Card Recon will report credit card numbers stored in a number of different formats including Excel spreadsheets, documents, emails, zip files, even recursive zip files.

Most of the operating systems currently in use for credit card processing applications and back office functions are currently supported by Card Recon, others are under development.

The user interface is simple to navigate and indicates to the user the progress and current status of the scan. The report contains sufficient information to allow the user to easily identify and confirm the location of stored credit card data.

In my experience, the Card Recon product is very effective at eliminating false positives. Some credit card numbers generated as test data were noted, but as these may well be real credit card numbers, so it is reasonable that these were reported.

In every case I have used Card Recon, even when scanning well managed systems it has identified stored credit card data that had been previously undetected. This is proof of the value of Card Recon not only for QSAs charged with the responsibility to ensure credit card data is protected, but also for organisations validating their own compliance and preparing for a PCI DSS Assessment. Card Recon has proven to be an effective tool to identify stored credit card data.

Kelvin Heath
Chief Security Officer
QSA CISA CISSP CISM
Vectra Corporation Ltd

Card Recon
Data Recon
Enterprise Recon