locked
secure data RRS feed

  • Question

  • Hi,

    What is the best way to make credit card numbers secure?
    I have looked at encrypt/decrypt, hashbytes('SHA1', 'credit card number1234'), hashbytes('SHA2_256', 'credit card number1234')It seems the SHA2_256 is new to sql server 2014 and so I guess it is more secure?

    How about making it more secure by hashing the hashed data again i.e.:

    hashbytes('SHA2_256', hashbytes('SHA2_256', 'credit card number1234'))

    ?

    What do you think?

    thanks

    Monday, December 14, 2015 12:55 PM

Answers

  • Why are you wanting to store Credit Card Numbers?

    You could be breaking the law here by doing such a thing; If this is for business purposes then you have to tread extremely carefully.  Such data has to be protected up to the highest possible level for obvious reasons.

    Visit the websites below about PCI compliance.

    http://www.one-sec.com/

    https://www.pcisecuritystandards.org/


    Please click "Mark As Answer" if my post helped. Tony C.



    Monday, December 14, 2015 1:05 PM
  • I have to echo Tony’s answer. Make sure you understand your responsibilities regarding PCI-DSS compliance and the law when dealing with credit card data protection.

    Saying that, the links that Pradeep shared may be useful once you have defined the strategy for protecting your data (CCN or other type of data). I would also recommend to look at the SQL Server security blog (http://blogs.msdn.com/b/sqlsecurity/archive/tags/cryptography/) for more tips on how to use SQL Server features to protect your data.

    I would also like to mention that the usage of a one-way hash algorithm such as SHA-256 such as the way you showed is not a recommended way to protect sensitive data such as CCNs or SSNs. One thing you have to consider is that, even though the operation is irreversible (i.e. there is no trivial mechanism to recover the data back from the hash value), data simply hashed without a random salt are susceptible to rainbow table attacks.

    I hope this information helps,

    -Raul Garcia

      SQL Security


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, December 14, 2015 6:15 PM

All replies

  • Below link may help you:

    https://www.mssqltips.com/sqlservertip/2431/sql-server-column-level-encryption-example-using-symmetric-keys/

    http://sqlmag.com/sql-server-2008/securing-credit-card-data-through-sql-server-2008


    • Edited by Pradeep_DBA Monday, December 14, 2015 1:00 PM
    Monday, December 14, 2015 12:59 PM
  • Why are you wanting to store Credit Card Numbers?

    You could be breaking the law here by doing such a thing; If this is for business purposes then you have to tread extremely carefully.  Such data has to be protected up to the highest possible level for obvious reasons.

    Visit the websites below about PCI compliance.

    http://www.one-sec.com/

    https://www.pcisecuritystandards.org/


    Please click "Mark As Answer" if my post helped. Tony C.



    Monday, December 14, 2015 1:05 PM
  • I have to echo Tony’s answer. Make sure you understand your responsibilities regarding PCI-DSS compliance and the law when dealing with credit card data protection.

    Saying that, the links that Pradeep shared may be useful once you have defined the strategy for protecting your data (CCN or other type of data). I would also recommend to look at the SQL Server security blog (http://blogs.msdn.com/b/sqlsecurity/archive/tags/cryptography/) for more tips on how to use SQL Server features to protect your data.

    I would also like to mention that the usage of a one-way hash algorithm such as SHA-256 such as the way you showed is not a recommended way to protect sensitive data such as CCNs or SSNs. One thing you have to consider is that, even though the operation is irreversible (i.e. there is no trivial mechanism to recover the data back from the hash value), data simply hashed without a random salt are susceptible to rainbow table attacks.

    I hope this information helps,

    -Raul Garcia

      SQL Security


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, December 14, 2015 6:15 PM