Best Practices for Sending Payment Hash Events
Verosint supports event types that include payment hashes so that you can monitor the payment activity of users on your platform. By securely hashing the card number, you can be certain that two card numbers that generate the same hash are actually the same cards. Verosint uses the credit card hash as a unique event print that is associated with an account. By using this unique print, you can immediately see if more than one account is using or has used the same card, which would indicate multiple account fraud or an account takeover.
Follow Industry Standards
Companies that use and store payment methods are familiar with the Payment Card Industry Data Security Standard (PCI DSS), which requires protection of stored cardholder data (Primary Account Number or PAN) using any of the following approaches (Requirement 3.4):
- One-way hashes based on strong cryptography (hash must include the entire PAN);
- Truncation (hashing cannot be used to replace the truncated segment of the PAN);
- Index tokens and pads (pads must be securely stored);
- Strong cryptography with associated key-management processes and procedures.
A proper payment hash has a minimum of 32 characters. PCI DSS version 4.0 addresses the risks related to the ability to reverse stored credit card hashes through brute-force methods by requiring keyed cryptographic hashes. With a keyed cryptographic hash, the payment application generates a random string (the key) and combines it with the card data before the hash is generated.
Note:
Using tokenized payment method values is preferred. Only hash raw payment information as a last option.
Send a paymentHash to Verosint
The paymentHash
optional field can be sent as an identifier to the /signalprint/events
endpoint and will display in the Explorer and in SignalPrint. The payment hash event can only be connected to Account nodes. As a unique print, if the payment hash has a connection to more than one account, multiple-account fraud is highly probable.
Security Considerations
The
paymentHash
property should be a securely hashed (SHA-256 encryption, at a minimum, with key or Salt) representation of the payment method. Tokenized values are prefered.Verosint will not process any numeric value that resembles a credit card number or any known payment method token or string.
Updated 5 months ago