Ask HN: Would storing an irreversible card fingerprint violate GDPR compliance?

[thala]

Would it be okay to generate an store a card fingerprint using a irreversible one-way hashing lead to a violation of GDPR compliance? We are based out of the US.

I'm not able to find any specific documentation that discusses about the user consent here? Would it be a violation of privacy from a GDPR standpoint?

[dave4420]

What would you be using it for? You do not always need consent, e.g. if it’s necessary in order to deliver a service the fingerprint owner requested.

Would you be able to delete the hash if the fingerprint owner asked you to?

[thala]

Yes we would have to provision to delete it upon request. We are looking to use this for fraud risk management.

[mrkeen]

I considered hashing GDPR data previously in a project, and found that "one-way" hashing didn't really exist in our use case.

If the number of possible inputs is small enough, you can just rehash them all, and then your "one-way" hash becomes two-way.

[mytailorisrich]

This may be personal data, since payment cards are nominal, so may fall within the GDPR. But that does not means it is a "violation" and that does not mean you should lose sleep over it.

[thala]

Okay, does the regulation vary upon different regions?

[mytailorisrich]

You say you're in the US and you sound like a small entity so not entirely clear why you care about the GDPR, but you want to comply, cool.

As said, this info may be personal data. SO why do you want to store it? If it's for security/fraud prevention you should look for a carve out (legitimate interest, etc) that would allow you to store it without explicit consent and would possibly also allow you not to delete it on request. In which case, you would be able to simply stipulate in your T&Cs/privacy policy that you are collecting that info for that specific reason, for that specific period of time (all of which should be reasonable).