Storing a SHA256 of first and last name along with 4 last digits of credit card number

Question

I'm trying to find the best way to uniquely identify customers before they make a purchase to ensure a coupon code isn't used twice by the same person. I do not intend to make my website full PCI compliant since I'm not planning on storing Credit Card numbers (only does POST.) I want to generate a SHA 256 (one way encryption) of the first name concatenated with the last name and the credit card number and store this into my database. Would this require PCI-compliance, although it is a one way encryption? What about using the first name + last name + last 4 digits of the credit card, would it still require full PCI compliance?

Thanks,

Answer 1

The fact that you're able to obtain the full card numbers at all means that you're going to be involved with PCI compliance, regardless of how you plan to generate the hash.

If you are able to hash the card numbers, and only store a hash then this will certainly make your path towards PCI compliance easier, but you will still need to work through the other issues to ensure that (eg) no rogue employee can gather the card data prior to hashing.

Hashing with SHA256 is acceptable, so long as each card has a unique salt. Your plan to use first name + last name as a salt would probably be considered acceptable here.

Ideally though you'd work with a payment gateway that captured and tokenised the card details. This would mean you never have access to the full card number and would all but eliminate your responsibilities with PCI compliance, and also mean that you could probably just use the token id in place of the card number, and no hashing required.