Should I store SSN?

I'm working on a side project... it's forms with names, address, and other info. One of the fields is SSN.

I plan to encrypt the name and address fields. I can encrypt SSN as well but with all the cyber security issues going on... I'm thinking I shouldn't even store SSN or only store the last 4 digits.

The application will be hosted on a hosting server (ARMOR) eventually.

Any thoughts on if I should store SSN and encrypt or just leave out SSN? users can always search by name.
LVL 8
CamilliaAsked:
Who is Participating?
 
zephyr_hex (Megan)DeveloperCommented:
I'm of the opinion that SSNs should not be stored unless they are required by the app.  And if they are required for the app, I'd even question why they're required to see if it's possible to go without saving to the db.
I also feel the same way about credit card numbers.
Storing those two types of data is just asking for trouble.

There are cases where you DO want to ask for data but you don't want to store it.  Take credit cards, for example.  In order to accept a payment, you must ask for a credit card.  You do not need to store the credit card number.  Same could be true for SSNs, if, for example, you needed to do a credit check or the like.
2
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Is it just for searching?  Possibly hash the full one and encyrpt the last 4?
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
What database are you planning on using? One option is to store it as a hash. This way you can search by SSN with the hash.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
CamilliaAuthor Commented:
Database is SQL Server 2014 or 2016.

It's for a form and SSN goes with the person's data. When the form is filled, user's info is saved. I can give them search by anything and was thinking just giving them search by name or something else but not SSN.

hash the full one and encyrpt the last 4
Why not encrypt the whole thing? because of searching...it's faster to get a hashed field?
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Hash is one way, so no way of getting that data back.
0
 
gilnovSystems AdministratorCommented:
I guess it depends on the size of the db. If there are multiple John Smith's, for instance, how will the searcher tell them apart? On the other hand, if you don't store SSN's in full or in part, it can't be stolen and you cut liability down considerably in the event of a breach. If you include the SSN...or even the last 4, encrypting it is definitely warranted in any case.
0
 
CamilliaAuthor Commented:
Ah, let me read about hashing.

Yeah, if there are multiple John Smith's, then address or another info needs to be tagged to it.
0
 
Éric MoreauSenior .Net ConsultantCommented:
if you don't want to store it, why ask for it?

I am in favor of asking/storing the least information that is required by your business.
1
 
CamilliaAuthor Commented:
SSN is on the form that I'm automating. Can't leave it out but , Eric, what you're saying makes sense. If I'm not going to save it , why even ask for it.
0
 
CamilliaAuthor Commented:
There are cases where you DO want to ask for data but you don't want to store it

This could be my situation, the more I think about it.
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Again, SSN is great for a lookup; but you can save a hash of it which would be safe.

EG:  Ask for the SSN, hash it, save the hash.  When they do the search, you can request the ssn, rehash it, and search on the hash.
1
 
käµfm³d 👽Commented:
What do your business rules say the SSN should be used for? That would dictate whether or not you store it. If you must store it, then you figure out whether or not your business cares about securing that data.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.