I am working on a pretty simple e-commerce web site that will sell our
company gift cards online. Our company and merchant policy prohibits us from
storing credit card numbers in any way once we clear the transaction using
Pay Flow. To help protect against fraud, I would like to know when the same
card number is used to make more than one purchase in a given period of
time.
Would hashing card numbers and then storing and comparing hashes work? Does
it still adhere to our company policy?
What would work better creditCard.ToHa sh() or using one of the SHA managed
providers?
-Andy 5 2153
Andrew Robinson schrieb:
Would hashing card numbers and then storing and comparing hashes work? Does
it still adhere to our company policy?
I´m not a security-expert, but I guess it would work. You only have to
be sure that you do not use any bad algorithm which allows re-hashing.
What you maybe can do... Create a public/private key-pair and delete the
private key.
Then you use the public key for hashing.
I´m not very sure but this should work. Try it out!
Regards,
Martin
IMO that should be OK (not a "legal" opinion ;-p). Soundss pretty normal.
Whenever storing a hash in a persistent system, you should use a known
algorithm, such as SHA, MD5, etc. The CLR GetHashCode() are liable to change
between runtime versions, which would break your system. For instance,
string.GetHashC ode() is very different between 1.1 and 2.0.
Marc
Hi,
Would hashing card numbers and then storing and comparing hashes work?
Does it still adhere to our company policy?
Well it depends of what your policy says, IMO (IANAL ) it should be ok as
you can not regenerate the CC# from the hash
What would work better creditCard.ToHa sh() or using one of the SHA managed
providers?
I will go with something like SHA or MD5 just cause it's standard, later on
if you need to explain yourself you can say you use industry standard ( SHA,
etc ) to generate the hash
--
--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation
Hi Andrew,
I'm not very experienced at the merchant policy, however, if the concern
here is only prevent clear text credit card number in memory or application
data. Using hashed value is an reasonable approach(and compare them using
hashed value also).
BTW, what's the "creditCard.ToH ash()" you mentioned? Is this a particular
method of your custom credit card class type? As far as I know, you can
use the component classes under namespace to perform those crypto specific
operations(incl ude hash, encrypt, signing...):
#Generating a Hash http://msdn2.microsoft.com/en-us/library/w1t5hx6k.aspx
#Verifying a Hash http://msdn2.microsoft.com/en-us/library/yeyw8w2d.aspx
Also, I would prefer SHA1 to MD5 since SHA1 is naturally stronger.
Hope this also helps.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks everyone for all the info. Looks like I was heading down the correct
path here with SHA1 and we all agree.
--
Andrew Robinson
"Andrew Robinson" <ne****@nospam. nospamwrote in message
news:Oh******** ********@TK2MSF TNGP02.phx.gbl. ..
>I am working on a pretty simple e-commerce web site that will sell our company gift cards online. Our company and merchant policy prohibits us from storing credit card numbers in any way once we clear the transaction using Pay Flow. To help protect against fraud, I would like to know when the same card number is used to make more than one purchase in a given period of time.
Would hashing card numbers and then storing and comparing hashes work?
Does it still adhere to our company policy?
What would work better creditCard.ToHa sh() or using one of the SHA managed
providers?
-Andy This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Pat |
last post by:
I want to look for some one-to-one hashing function.
In C++, any one-to-one hashing function?
|
by: snowteo |
last post by:
Hi,I have to do this exercises can you help me:
1)Write a program to implement exetendible hashing.If the table is small
enough to fin in main memory,how does its performance compare with open and
closed hasing?
2)A basic program consists of a series of statements,each of which is
numbered in ascending order.Control is passed by use of a goto or gosub and
a statement number.Write a program that reads in a legal BASIC program and
renumbers...
|
by: Wm. Scott Miller |
last post by:
Hello all!
We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination?...
|
by: Dino M. Buljubasic |
last post by:
Hi,
I am using MD5 to hash my passwords and add them to database as hashed.
I have noticed though that some passwords don't get recognized and I suppose
that it happen because hashing might introduce some characters in my
password that are not handled properly by SQL server then.
For example, password 'startreck' works just fine
password 'test' does not
|
by: Ole Nielsby |
last post by:
How does the GetHashCode() of an array object behave?
Does it combine the GetHashCode() of its elements, or does
it create a sync block for the object?
I want to use readonly arrays as dictionary keys, based on
their content, not their identity. Is this feasible using the
arrays directly, or do I need to wrap them in a struct that
handles GetHashCode and Equal? If so, is such a wrapper
present in the standard class library?
| |
by: Maya |
last post by:
Hello all,
I'm using MD5 hashing in my application to give unique values to huge
list of items my application receives, originally every item's name was
difficult to use as an id for this item although its unique but because
it had certain characters and variable lengths I ended up using MD5
hashing of the name.
|
by: Jayender |
last post by:
Hi,
What is the difference between Hashing and Encryption ?
|
by: wkatz |
last post by:
Hi, Gurus. What hashing algorithm outputs hash value as numbers only? For example, if you pass a “John Q. Public” it will output 23324. If there is no such hashing, how hard is it to hire somebody to write a fairly quick one? It could be some fast hashing and then another function that creates numbers. Much obliged. wkatz.
|
by: Tinku |
last post by:
Hi friends
I know Static Hashing and i know about Dynamic Hashing, still i have
problem to make program with Dynamic Hashing I am new in "C" world,
please help me, my problem is:
i have to make program in Dynamic hashing i have to store int value in
nodes user only enter int value by this value i have to find hash key
and make symbol table
my struct are
|
by: Vinodh |
last post by:
I am reading about hashing techniques. The map data structure
available in C++ STL uses hashing techniques?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |