Hello Didier,
Your email is didier.ros@edf.fr. Are you working at Electricite de France,
and storing actual customers' credit card details? How many millions of
them?
Note that this mailing list is public; people looking for targets with poor
security from which they can harvest credit card numbers might be
reading it.
And after you are hacked and all your customers' credit card details
are made
public, someone will find this thread.
> it's not the best solution, but we have data encryption needs and good
> performance needs too. I do not know how to do it except the specified
> procedure..
You should probably employ someone who knows what they are doing.
Sorry for being so direct, but really... storing large quantities of credit
card details is the text book example of something that has to be done
correctly.
> if anyone has any proposals to put this in place, I'm interested.
Why do you need to search by credit card number?
If you really really need to do that, then one option is to use an
encryption function that doesn't salt the data. Or you could store part
of the number (last 4 digits?), or an unsalted hash of the number,
unencrypted and indexed, and then you need only to sequentially decrypt
(using the salted encryption) e.g. 1/10000 of the card numbers. But there
are complex security issues and tradeoffs involved here. You probably
need to comply with regulations (e.g. "PCI standards") which will specify
what is allowed and what isn't. And if you didn't already know that,
you shouldn't be doing this.
Good luck, I suppose.
Phil.
P.S. It seems that you were asking about this a year ago, and got the
same answers...
