Hashing a credit card number

General Web Dev
1

I was giving a little more thought to a question I asked previously concerning using a hash to establish a fingerprint of a credit card. I don’t want to be able to pull the number back out for liability reasons, I just want to know if the card has been used before on the site. After a little research I’m thinking taking a sha256 hash of the card number, its CVN number and billing address and some salt value so the attacker would need to gain access to both database and code base to even start the crack. Since hashing is a one way process, and the chance of two sha 256’s colliding is astronomically low I think this would be safe, but I’m not a security expert.

I figured that hashing the number alone would be unsafe - if an attacker has the hash and discovers the salt they can run numbers against it until they find a match. A little educated guessing about credit card in general (visa cards nearly always start with 4) can reduce the range down further I don’t know how long it would take an attacker to do this, but I imagine it isn’t as long as trying the reverse. Throwing in the billing address just adds another dimension of complexity, especially if it isn’t stored elsewhere.

But again, I’m not a security expert so I’m not sure. Does the above sound safe?

2

I, too, am not a security expert.
Based on what you described I would say using a one-way hash seems a reasonable approach.
And adding the CVN plus a salt should make it reasonably secure.
You make a good case about “brute force” attempts however, guessing credit card numbers and the associated CVN seems quite difficult. I guess that is the reason for the additional number (knowing the format of the numbers means, theoretically, I could simply create a number and the likelihood is that it has been issued to SOMEONE).

One caution that comes to mind if you intend to include the billing address in your hashing;
Suppose my address is: 123 Bayview Drive. I may enter it (from one time to another) as:

  • 123 Bay View Dr.
  • 123 BayView Dr.
  • 123 Bayview Drive
  • 123 Bayview

You get my point I am sure.

Numeric data is far less unreliable than Alphanumeric data.

Just my observations/thoughts.

3

Once you have the credit card number the bank API let’s you pull the billing address and name for the number if I remember correctly.

4

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.