Cardholder Data (CHD) Discovery Service

You cannot expect to adequately protect payment card data, which you are not aware of. The identification of where Cardholder Data (CHD) is located is a critical step in defining the Card Data Environment (CDE)

Many industry experts believe that, along with quarterly scanning, being able to consistently identify misplaced cardholder data can significantly reduce the chance of a data breach.

In our experience, organisations think they have secured payment card information, only to find sensitive authentication data in development databases, insecure file shares, and PAN’s stored inadvertently in de-bug outputs, and log files.

Our Cardholder Data (CHD) Discovery Service provides a comprehensive, low-impact review of your organisations assets, quickly and accurately determining misplaced card holder data and non-compliant storage of sensitive authentication data, remediating areas of high risk, and implementing measures to maintaining both control, and PCI compliance.

Fast Track Your PCI DSS Compliance

Request an initial PCI DSS Compliance Program consultation.



We will first determine the scope of the discovery, reviewing your organisations technical infrastructure, including areas typically outside of the transaction environment.

Using our specialised CHD discovery software, our PCI consultants will perform a deep scan on areas identified such as, files, network shares, emails, databases, memory, cloud storage and more to identify non-compliant storage of payment card numbers and sensitive authentication data, issued by all major card brands.

Identifying areas of high risk, we will agree any short-term remediation actions such as secure data deletion, or masking and provide you with strategic guidance to assist with accurate definition of your Card Data Environment (CDE)

Key Benefits

  • Quickly identify unsecured Cardholder Data (CHD), stored outside the transaction environment.
  • Find and secure Sensitive Authentication Data (SAD), stored using non-compliant methods and stored in insecure locations
  • Highlight and remediate broken business processes.
  • Effectively establish assurance of PCI compliant cardholder data (CHD) storage practices.
  • Provides ongoing assurance of scope of compliance and ensures cardholder data is not being inadvertently stored outside of the Cardholder Data Environment (CDE)
  • Reduces the opportunity of a data breach

Our Methodology

Stage 1: Pre Assessment Phase (Off- Site)

  • Meeting with key staff members
  • Walkthrough of engagement activities, and agree roles.
  • Review existing network diagrams, card data flows and supporting documentation.
  • Confirm scope of assessment and scan schedule.

Stage 2: CHD Discovery Phase (On- Site)

  • Perform automated scan of File Systems (workstations, servers, file shares, NAS, SAN etc) and Databases (SQL Server, Oracle, MySQL, Postgres, Sybase, MS Access etc) for Cardhollder Data (CHD) and Sensitive Authentication Data (SAD).
  • Identify non-compliant hosts against known secure systems within the CDE

Stage 3: Assessment and Analysis

  • On-site interview and information gathering
  • Provide recommendations for remediation of non-compliant hosts

Stage 4: Reporting 

  • Produce and delivery of Card Holder Data Discovery Report
  • Outline strategic guidance for accurate definition of CDE Scope


Total: 4 Days

Onsite: 2 Days

Remote: 2 Days


Card Holder Data (CHD) Discovery Report– (detailed discovery scan report including overall statement of compliance, compliant and non-compliant hosts, and high level overview, with recommendations for remediation)

Strategic Card Data Environment (CDE) Data Flow Guidance– (to be used in conjunction with existing card holder data flows)

Speak to us today, to find out how JAW Consulting UK can help you locate and secure card holder data.

Associated services