> I think much of the problem is with credit card numbers themselves. There are > only ~10**16 possible credit card numbers...
Actually, it's much worse than that. You can't encrypt all of the PAN for a credit card. Typically, the first part (the BIN) is required in cleartext in order to route the transaction to the correct issuer, and the last 4 digits are usually required in the clear to be printed on a credit card receipt. In the current ANSI FPE standard (X9.124, which I think is still in draft), the minimum number of PAN digits that get encrypted with FPE is just 6 "middle" digits. However, it is common to use the other (unencrypted) digits as input to the FPE algorithm, so that cards where these 6 digits are the same do not end up with identical encrypted digits. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
