I was giving a little more thought to a question I asked previously concerning using a hash to establish a fingerprint of a credit card. I don’t want to be able to pull the number back out for liability reasons, I just want to know if the card has been used before on the site. After a little research I’m thinking taking a sha256 hash of the card number, its CVN number and billing address and some salt value so the attacker would need to gain access to both database and code base to even start the crack. Since hashing is a one way process, and the chance of two sha 256’s colliding is astronomically low I think this would be safe, but I’m not a security expert.
I figured that hashing the number alone would be unsafe - if an attacker has the hash and discovers the salt they can run numbers against it until they find a match. A little educated guessing about credit card in general (visa cards nearly always start with 4) can reduce the range down further I don’t know how long it would take an attacker to do this, but I imagine it isn’t as long as trying the reverse. Throwing in the billing address just adds another dimension of complexity, especially if it isn’t stored elsewhere.
But again, I’m not a security expert so I’m not sure. Does the above sound safe?