0

Someone has queried me to see if they can use their customers credit card numbers as membership numbers.

So looking up the PCI requirements for storing credit card numbers it says that a one way hash of the credit card number is required. Page 38 - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

It doesn't however say what hashes are acceptable?

So really all I need to accomplish is to convert a card number into a membership number which will be a hashed credit card number.

What is the easiest hash to implement as I'm working with a proprietary scripting language.

PaulG
  • 13,871
  • 9
  • 56
  • 78
CathalMF
  • 9,705
  • 6
  • 70
  • 106
  • 3
    "...if they can use their customers credit card numbers has membership numbers..." Just no. Tell them just no, and to use something else which will not get you in trouble once the thing blows up in your face. – PeeHaa Nov 21 '14 at 15:22
  • Agree with PeeHaa, if there are alternatives for using highly sensitive data for a mundane purpose, use one of them. Card numbers also frequently change when a new card is issued on expiry. – Alex K. Nov 21 '14 at 16:48

3 Answers3

3

The PCI documents do specify to use 'strong cryptography', and points you to the glossary of terms for more information.

Glossary states

"use industry-tested and accepted alogorithms [...] SHA-1 is an example of an industry-tested and accepted hashing algorithm. "

The trouble however, is that you need access to the raw card number in order to produce these hashes. If you have access to the raw card data, then the full weight of PCI compliance comes crashing down on you. You can't just hash these numbers and hope for the best, you need compliance in every aspect of PCI, including securing your network to PCI standards, maintaining information security policies for staff and so on.

Best practice is to avoid having card data pass through your network or systems at all. Let a third party provider manage this and return token ids. You could then safely map token ids to cardholders.

PaulG
  • 13,871
  • 9
  • 56
  • 78
0

Simple alternative: Use a persistent variable which is incremented every time a new membership number is required.

You can also use a random number, but then you have to ensure it hasn't been used.

Credit card numbers are not entirely random, meaning dictionary-based brute force attacks are easier than if fully random. And as mentioned in the comments, they change and could cause you legal trouble in terms of financial regulations.

Ioan
  • 2,382
  • 18
  • 32
0

As far as I know, the auditors allow tokens ("hashes") preserving last 4, or even first 6 and last 4 digits. Then again, you are in PCI scope as long as the real numbers touch your devices.

ptrk
  • 1,800
  • 1
  • 15
  • 24