Copied from https://github.com/bnnanet/bnna-payment-gateway.js/issues/5 for the immediate benefit of others, to be available as a Public gist until we make the whole repo public (once it's useful).
- We should limit stored data to what's required for a specific, known business purposes
(not "just in case it's useful") - We may, for internal use, salt and hash the full credit card number (with per-vendor salts)
- We MUST NOT expose that salt or hash via API
- We may create a 1:1 mapping with a random (or otherwise unrelated) key and the salted hash
- This is the user-facing identifier