0
votes

I'm trying to find the best way to uniquely identify customers before they make a purchase to ensure a coupon code isn't used twice by the same person. I do not intend to make my website full PCI compliant since I'm not planning on storing Credit Card numbers (only does POST.) I want to generate a SHA 256 (one way encryption) of the first name concatenated with the last name and the credit card number and store this into my database. Would this require PCI-compliance, although it is a one way encryption? What about using the first name + last name + last 4 digits of the credit card, would it still require full PCI compliance?

Thanks,

1
SHA 256 is called a "Hash", not "one way encryption". You cannot in the general case decrypt a hash, since multiple valid inputs will necessarily produce the same hash (infinite set of inputs, finite set of hash values).Eric J.
Right, hash, but isn't the fact that you can't decrypt it making it a one-way encryption method?Loic Duros
Afaik, keeping any card holder data add security requirement to your computer system, I don't know of any standard exception for hashes. Also, if the system ever receives posts with unencrypted credit card numbers, it'll definitely add further restrictions even if you don't store them.Joachim Isaksson
No, encryption by its very nature can also be decrypted (at least the way the word is defined in the field of cryptography).Eric J.

1 Answers

2
votes

The fact that you're able to obtain the full card numbers at all means that you're going to be involved with PCI compliance, regardless of how you plan to generate the hash.

If you are able to hash the card numbers, and only store a hash then this will certainly make your path towards PCI compliance easier, but you will still need to work through the other issues to ensure that (eg) no rogue employee can gather the card data prior to hashing.

Hashing with SHA256 is acceptable, so long as each card has a unique salt. Your plan to use first name + last name as a salt would probably be considered acceptable here.

Ideally though you'd work with a payment gateway that captured and tokenised the card details. This would mean you never have access to the full card number and would all but eliminate your responsibilities with PCI compliance, and also mean that you could probably just use the token id in place of the card number, and no hashing required.