Securely encrypting credit card data

Question

I came to a situation where I am required to store credit card holder data in my database and I'm looking for the most secure way of dealing with this. Note that I am fully aware of PCI-DSS so my question is purely about the encryption aspect.

Now I have decided to use Curve25519 public key encryption (using libsodium) and the private key is stored securely, offline. Let's assume I implemented this correctly. I figured that when I only encrypt the credit card number and the expiry date this would be easy to brute force as the first 6 and last 4 digits of the card number are known as well as the expiry date, because they are already plain text in the database somewhere.

Let's say I'm encrypting this

1234561111118762|10|21|VISA

Now the only secret in this string is 111111 (6 digits). It would cost someone 10^6 tries to find out this number.

But what if I am encrypting like this

1234561111118762|10|21|VISA|aVeryLongPsuedoRandomStringGeneratedUniquelyForEachEncryptedString

Would this prevent a brute force 10^6 scenario? Or am I missing something?

Answer 1

Speaking just about encryption...

I'm assuming by "brute-force" you mean take the public key, encrypt and compare to the ciphertext you have stored. If this is what you mean, then the answer depends on the implementation.

You need to determine if the implementation is deterministic - if it is, then yes, it will be possible to brute-force and compare. If it is not (which you would expect), then this won't be a problem.

I expect libsodium has this problem covered.