Msg#: 4422329 posted 5:34 pm on Feb 27, 2012 (gmt 0)
Background: We have artificial limits (throttling) on our e-commerce website per user login, we need a way to prevent a person from simply creating a new account with us and continue spending with the same credit card. We are PCI compliant however we would strongly prefer a 3rd party hosted solution as we'd rather not hold any reversible CC information (in database or memory). Hence a returned unique cc token would suit.
We deal with USD currency only, and can create US bank accounts if necessary.
We were very close to finishing the application steps to RBS WorldPay when we realized their API did not return some type of unique identifier/token for the credit card used in the transaction. authorize.net supplies the last 4 digits of the card used but that isn't enough uniqueness for us to use.
Msg#: 4422329 posted 11:25 am on Feb 28, 2012 (gmt 0)
It may not be a good solution even if a gateway was providing a token back to you in this context. Visitors could submit the same information using different case letters, whitespace in the various fields, may have a different start/end date for their cards than the previous time they tried to buy something etc.
So from what I understand you need to generate a non-reversible token from some of the fields the customer submits as billing/shipping info after doing some field refinement. And then use the token for identification.
Msg#: 4422329 posted 5:11 pm on Feb 28, 2012 (gmt 0)
How about creating a one-way encrypted hash of some sort and using that as your token? I presume you're doing a silent post, you'd create the hash at that point and store only the hash and being a one-way hash, can't be stolen. (reasonably, ANYTHING is possible.)
Next time an account cc comes in, if the hash matches, it's the same card.
Msg#: 4422329 posted 8:24 pm on Feb 28, 2012 (gmt 0)
We would certainly be able to create a one-way hash if we accepted the CC number on our end. However we would prefer a 3rd party hosted gateway to gather the CC data so that we won't have to go through the hassle of monthly PCI compliance.