Finding Credit Card Data for PCI Compliance Work

During a PCI Audit compliance piece of work, you are as a QSA required to verify that various types CC sensitive data are not stored period. Although some types are permitted i.e. PAN (CC Number) and the expiry date as long as they are "protected". Well as someone with audit experience you know you won't get a truthful or comprehensive answer from the customer being audited. Often they don't know the entire process or they know that there might be "grey"areas.

So you have to test portions of the environment this is tricky at best. There are some tools however to help you find sensitive data in the environment;

https://source.its.utexas.edu/groups/its-iso/projects/senf/

http://www.hackaday.com/2008/06/20/finding-sensitive-data-with-freeware/