Databases are used for a large number of different applications. In some instances, the databases can be used to store sensitive information that calls for a measure of security. Depending upon the importance of the information and the potential for misuse of the information, different levels of security are implemented. One type of information that typically requires a high level of security is financial information, such as transaction card account identifiers.
Transaction cards are used by consumers in a variety of avenues, such as online purchases, in-store purchases, over-the-phone purchases, and cash advances. Many of these avenues involve the use of transaction cards for retail purchases. Some retailers maintain databases that contain information related to consumer transaction card use, such as the transaction card account details or identifiers. The retailers use the databases for a variety of purposes, including consumer dispute resolution, consumer refunds, fraud detection, and customer purchase tracking.
There has been growing concern, however, in the prevention of unauthorized access to transaction card identifiers, and individual card holders are instructed to keep their transaction card identifiers private. The concern is magnified where an unauthorized person has access to a database containing multiple transaction card identifiers. Such an unauthorized person could commit transaction card fraud, identity theft, or other illegal activities with any of the transaction card identifiers. For this reason, unauthorized access to a database containing transaction card identifiers can potentially lead to large economic consequences for transaction card holders, financial companies that issue transaction cards, retailers, and others.
In addition, the capacity for transaction card fraud has increased with the growing use of the Internet. If databases are accessible from a system that has a link to the Internet, the potential security issues increase because an unauthorized person may be able to access the database from a distant location. Accordingly, databases that contain transaction card information often implement costly security measures to prevent transaction card fraud.
Examples of security measures used include implementing a firewall or a similar method of limiting external access, password protecting the database, limiting the amount of transaction card data stored, not storing unnecessary information, encrypting the transaction card identifiers, and masking the account identifiers.
Several of the security measures can adversely affect the functionality of the database. For example, limiting the amount of transaction card identifiers stored often can be accomplished by only retaining the identifiers for a limited period of time; however, a retailer may have a need for accessing information related to events that occurred prior to the limited time period. In another example, the transaction card data can be encrypted in the database using an encryption method, such as AES (Advanced Encryption Standard) cryptography or similar method. Unfortunately, after a transaction card identifier is encrypted by such methods, the encrypted result is often a large binary string, and thus, contains characters that cannot be displayed and that can be difficult to store and manipulate because of the encrypted format. Moreover, database transactions involving the encrypted transaction card identifiers can require large amounts of computing power and time, and produce erroneous data that in various applications can cause the applications to function incorrectly. In addition, many encryption methods use a key to create the encrypted data. If the key is changed, all of the encrypted data must also be changed. This can create compatibility issues between the old and new encrypted values.
When the transaction card information is masked for display purposes (e.g., replaced with “*” or other unrelated markers), masking the information can reduce the usefulness of the display. For example, a viewer is not able to look through a listing of transactions for identical transaction card identifiers if the identifiers are masked. Moreover, if partial masking of the identifiers is used, the uniqueness of each transaction card identifier may be lost.
These and other issues have presented challenges to the implementation of secure databases, including those involving transaction card identifiers and similar information.