Tuesday, January 3, 2012

Credit Card Data storage

Based on the business requirements and PCI DSS requirements, hashing is a suitable method of protecting and storing card numbers. Only hashing the card number is the minimum requirement for PCI compliance. The card number is stored in some applications both encrypted and hashed to allow for efficient searching and matching of card numbers.
Most ecommerce and payment applications that store credit card numbers hashed fall into one of the six following design patterns related to storing other digits in plaintext



Pattern
Description
Card Number (hashed)
Only the card number is stored hashed and no digits are stored as plaintext. This pattern is usually in applications that also encrypt the card number. The card number is stored as a hash to allow for efficient
Searching and matching.
1. Card Number (hashed)
2. Brand
The card brand (Visa, MasterCard, American Express, etc.) is stored in plain-text as a custom application value. The application will use the brand ID to programmatically determine the card brand. This pattern is usually in applications that also encrypt the card number. The brand is used for reconciliation or easy retrieve for chargebacks and retrieval requests.
1. Card Number (hashed)
2. Brand ID
The card brand ID is stored in plaintext, which will be the first 1 to 5 digits of the card number. This pattern is usually in applications that also encrypt the card number. The brand is used for reconciliation or easy retrieve for chargebacks and retrieval requests.
1. Card Number (hashed)
2. Brand ID
3. Last-4
The card brand ID and last 4 digits are stored in plaintext. This seems to be a common design pattern and usually meets all necessary business requirements.
1. Card Number (hashed)
2. Last-4
Only the last 4 digits are stored in plaintext to allow for returns and credits processing. The last-4 digits are displayed on receipts, web pages, application screens, and in reports.
1. Card Number (hashed)
2. Prefix-6
3. Last-4
This is the worst-case scenario where the first 6 digits and last 4 digits are stored in plaintext. The business requirement is that the brand as well as bank ID must be known.


Understanding the different portions of a credit Card number


Card Number
Full 14 to 16 digit account number, referred to as the Primary Account Number (PAN) in PCI DSS. Card numbers may be up to 19 digits, but most major brands are in the range of 14 to 16 digits.
Brand
The credit card brand – Visa, MasterCard, American Express, Discover, Diners Club, JCB, etc. Due to processing agreements between the brands, the brand will be defined as the brand indicated by the brand ID in the card number rather than the brand name on the card.
Brand ID
The first one to five digits that represents the brand –a brand may have multiple brand IDs. The Brand ID does not include the bank identifier for brands like Visa and MasterCard.
Common Prefix or
Bank Prefix
The first three to six digits that are significant to a brand card number. This information is not generally available, but unauthorized lists of prefixes and bank identifiers are available on some Internet sites for the most popular card brands.
Prefix 6
The first six digits of the card number, regardless of brand or length.
Last 4
The last four digits of the card number, regardless of brand or length. This includes the last digit, which is the check digit.   
Check Digit
The last digit of the card number, which for most brands is the check digit and is calculated using the Luhn checksum algorithm of the prior digits.


Note: The Luhn algorithm or Luhn formula, also known as the "modulus 10" or "mod 10" algorithm, is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers, IMEI numbers, National Provider Identifier numbers in US and Canadian Social Insurance Numbers.

Reference>
http://www.integrigy.com/security-resources/whitepapers/Integrigy_Hashing_Credit_Card_Numbers_Unsafe_Practices.pdf