Should I store SSN?

I'm working on a side project... it's forms with names, address, and other info. One of the fields is SSN.

I plan to encrypt the name and address fields. I can encrypt SSN as well but with all the cyber security issues going on... I'm thinking I shouldn't even store SSN or only store the last 4 digits.

The application will be hosted on a hosting server (ARMOR) eventually.

Any thoughts on if I should store SSN and encrypt or just leave out SSN? users can always search by name.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
Is it just for searching?  Possibly hash the full one and encyrpt the last 4?
Shaun VermaakTechnical SpecialistCommented:
What database are you planning on using? One option is to store it as a hash. This way you can search by SSN with the hash.
CamilliaAuthor Commented:
Database is SQL Server 2014 or 2016.

It's for a form and SSN goes with the person's data. When the form is filled, user's info is saved. I can give them search by anything and was thinking just giving them search by name or something else but not SSN.

hash the full one and encyrpt the last 4
Why not encrypt the whole thing? because of's faster to get a hashed field?
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Kyle AbrahamsSenior .Net DeveloperCommented:
Hash is one way, so no way of getting that data back.
gilnovSystems AdministratorCommented:
I guess it depends on the size of the db. If there are multiple John Smith's, for instance, how will the searcher tell them apart? On the other hand, if you don't store SSN's in full or in part, it can't be stolen and you cut liability down considerably in the event of a breach. If you include the SSN...or even the last 4, encrypting it is definitely warranted in any case.
CamilliaAuthor Commented:
Ah, let me read about hashing.

Yeah, if there are multiple John Smith's, then address or another info needs to be tagged to it.
Éric MoreauSenior .Net ConsultantCommented:
if you don't want to store it, why ask for it?

I am in favor of asking/storing the least information that is required by your business.
CamilliaAuthor Commented:
SSN is on the form that I'm automating. Can't leave it out but , Eric, what you're saying makes sense. If I'm not going to save it , why even ask for it.
zephyr_hex (Megan)DeveloperCommented:
I'm of the opinion that SSNs should not be stored unless they are required by the app.  And if they are required for the app, I'd even question why they're required to see if it's possible to go without saving to the db.
I also feel the same way about credit card numbers.
Storing those two types of data is just asking for trouble.

There are cases where you DO want to ask for data but you don't want to store it.  Take credit cards, for example.  In order to accept a payment, you must ask for a credit card.  You do not need to store the credit card number.  Same could be true for SSNs, if, for example, you needed to do a credit check or the like.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CamilliaAuthor Commented:
There are cases where you DO want to ask for data but you don't want to store it

This could be my situation, the more I think about it.
Kyle AbrahamsSenior .Net DeveloperCommented:
Again, SSN is great for a lookup; but you can save a hash of it which would be safe.

EG:  Ask for the SSN, hash it, save the hash.  When they do the search, you can request the ssn, rehash it, and search on the hash.
käµfm³d 👽Commented:
What do your business rules say the SSN should be used for? That would dictate whether or not you store it. If you must store it, then you figure out whether or not your business cares about securing that data.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.