{"id":2854,"date":"2014-03-17T12:37:07","date_gmt":"2014-03-17T12:37:07","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2014\/03\/17\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/"},"modified":"2024-02-06T12:27:35","modified_gmt":"2024-02-06T12:27:35","slug":"verifying-pci-dss-scope-hunting-for-credit-card-numbers","status":"publish","type":"post","link":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/","title":{"rendered":"Verifying PCI DSS Scope: Hunting for Credit Card Numbers"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2854\" class=\"elementor elementor-2854\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-28e6d46e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"28e6d46e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6467042f\" data-id=\"6467042f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4174a3dd elementor-widget elementor-widget-text-editor\" data-id=\"4174a3dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if the documented scope means that no cardholder data is stored, there still may be some cardholder details that have been inadvertently left in documents. These credit card details may either be left over from activities prior to working towards PCI DSS compliance, or it may be that company credit card procedures have been breached. There are some good tools out there that search for cardholder data on PCs and networks, however I was looking for something that could easily run standalone on individual PCs and search a hard drive relatively quickly. Dionach developed PANhunt, which does exactly that. It is a Python script that is easily converted to a standalone executable, which can then be run off a USB stick. PANhunt uses simple regular expressions to look for Visa, MasterCard and American Express card numbers in document and email files such as Word documents, Excel spread sheets, TXT files, XML and PST files. PANhunt also searches ZIP files recursively. PANhunt will create a report listing masked PANs found. Some system files do generate false positives, but Windows system folders are excluded by default. The current release will not search Access databases, but will list where they are located. The scripts and instructions can be found at https:\/\/github.com\/Dionach\/PANhunt. Technically, searching across a C:\\ drive for files with a certain extension is straightforward in Python. PANhunt treats documents as text files, or in the case of DOCX and XLSX as ZIP files. Text files can be easily searched using regular expressions to match the different credit card types. The PST format was more challenging. Microsoft has published the PST file format as an open specification here: https:\/\/msdn.microsoft.com\/en-us\/library\/ff385210. There are some code libraries out there in different languages such as Java, and C#, however they didn&#8217;t provide everything needed, weren&#8217;t in Python, or just didn&#8217;t work. So, I developed pst.py to parse PST files and so provide access to emails and attachments contained in them. The script supports both ANSI or Unicode PST formats. A few interesting things I learnt about PST files:<\/p>\n<ul>\n<li>The published specification is wrong in at least two places about the ANSI format.<\/li>\n<li>Setting a PST password does not encrypt anything, it just sets a password property in the PST file. This can be ignored.<\/li>\n<li>Recent Microsoft Outlook client versions seem to encode PST data sections by default, so you can&#8217;t easily see email text in the raw PST file. The decoding algorithm looks complicated in the specification but reduces to quite a simple substitution algorithm.<\/li>\n<li>Hopefully PANhunt will be useful for people who want to easily check if there are any credit card numbers stored on local PCs.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if the documented scope means that no cardholder data is stored, there still may be some cardholder details that have been inadvertently left in documents. These credit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[216,217],"class_list":["post-2854","post","type-post","status-publish","format-standard","hentry","category-researchblog","tag-compliance","tag-pci_dss","wpbf-post"],"contentshake_article_id":"","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Verifying PCI DSS Scope: Hunting for Credit Card Numbers<\/title>\n<meta name=\"description\" content=\"PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if\" \/>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Verifying PCI DSS Scope: Hunting for Credit Card Numbers\" \/>\n<meta property=\"og:description\" content=\"PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/\" \/>\n<meta property=\"og:site_name\" content=\"Dionach\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dionachcyber\" \/>\n<meta property=\"article:published_time\" content=\"2014-03-17T12:37:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-06T12:27:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/dionach.development-visionsharp.co.uk\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dionach Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:site\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dionach Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/\"},\"author\":{\"name\":\"Dionach Admin\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/person\\\/effca060e22bfa3cc6cd03f74a50fdb4\"},\"headline\":\"Verifying PCI DSS Scope: Hunting for Credit Card Numbers\",\"datePublished\":\"2014-03-17T12:37:07+00:00\",\"dateModified\":\"2024-02-06T12:27:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/\"},\"wordCount\":493,\"publisher\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#organization\"},\"keywords\":[\"compliance\",\"PCI DSS\"],\"articleSection\":[\"researchblog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/\",\"url\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/\",\"name\":\"Verifying PCI DSS Scope: Hunting for Credit Card Numbers\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#website\"},\"datePublished\":\"2014-03-17T12:37:07+00:00\",\"dateModified\":\"2024-02-06T12:27:35+00:00\",\"description\":\"PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/homepage-usa\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Verifying PCI DSS Scope: Hunting for Credit Card Numbers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#website\",\"url\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/\",\"name\":\"Dionach\",\"description\":\"Real Security in a Virtual World\",\"publisher\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#organization\",\"name\":\"Dionach\",\"url\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/dionach.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"contentUrl\":\"https:\\\/\\\/dionach.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"width\":512,\"height\":512,\"caption\":\"Dionach\"},\"image\":{\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/dionachcyber\",\"https:\\\/\\\/x.com\\\/dionachcyber\",\"https:\\\/\\\/uk.linkedin.com\\\/company\\\/dionach-ltd\",\"https:\\\/\\\/www.instagram.com\\\/dionachcyber\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/dionach.development-visionsharp.co.uk\\\/en-us\\\/#\\\/schema\\\/person\\\/effca060e22bfa3cc6cd03f74a50fdb4\",\"name\":\"Dionach Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"caption\":\"Dionach Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Verifying PCI DSS Scope: Hunting for Credit Card Numbers","description":"PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Verifying PCI DSS Scope: Hunting for Credit Card Numbers","og_description":"PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if","og_url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/","og_site_name":"Dionach","article_publisher":"https:\/\/www.facebook.com\/dionachcyber","article_published_time":"2014-03-17T12:37:07+00:00","article_modified_time":"2024-02-06T12:27:35+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/i0.wp.com\/dionach.development-visionsharp.co.uk\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1","type":"image\/jpeg"}],"author":"Dionach Admin","twitter_card":"summary_large_image","twitter_creator":"@dionachcyber","twitter_site":"@dionachcyber","twitter_misc":{"Written by":"Dionach Admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/#article","isPartOf":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/"},"author":{"name":"Dionach Admin","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/person\/effca060e22bfa3cc6cd03f74a50fdb4"},"headline":"Verifying PCI DSS Scope: Hunting for Credit Card Numbers","datePublished":"2014-03-17T12:37:07+00:00","dateModified":"2024-02-06T12:27:35+00:00","mainEntityOfPage":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/"},"wordCount":493,"publisher":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#organization"},"keywords":["compliance","PCI DSS"],"articleSection":["researchblog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/","url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/","name":"Verifying PCI DSS Scope: Hunting for Credit Card Numbers","isPartOf":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#website"},"datePublished":"2014-03-17T12:37:07+00:00","dateModified":"2024-02-06T12:27:35+00:00","description":"PCI DSS requires that the scope of assessment must be checked to make sure the scope is accurate. This check must also be carried out every year. Even if","breadcrumb":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/verifying-pci-dss-scope-hunting-for-credit-card-numbers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/homepage-usa\/"},{"@type":"ListItem","position":2,"name":"Verifying PCI DSS Scope: Hunting for Credit Card Numbers"}]},{"@type":"WebSite","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#website","url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/","name":"Dionach","description":"Real Security in a Virtual World","publisher":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#organization","name":"Dionach","url":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/logo\/image\/","url":"https:\/\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","contentUrl":"https:\/\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","width":512,"height":512,"caption":"Dionach"},"image":{"@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dionachcyber","https:\/\/x.com\/dionachcyber","https:\/\/uk.linkedin.com\/company\/dionach-ltd","https:\/\/www.instagram.com\/dionachcyber\/"]},{"@type":"Person","@id":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/#\/schema\/person\/effca060e22bfa3cc6cd03f74a50fdb4","name":"Dionach Admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","caption":"Dionach Admin"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/ph4Ojq-K2","_links":{"self":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/posts\/2854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/comments?post=2854"}],"version-history":[{"count":0,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/posts\/2854\/revisions"}],"wp:attachment":[{"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/media?parent=2854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/categories?post=2854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/wp-json\/wp\/v2\/tags?post=2854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}