Karl (supersat) wrote in supersat_tech,

Inside Credit Card Numbers

On request, here's a breakdown of how credit card numbers are generated. This also applies to Visa and Mastercard debit cards. Note that this is all public knowledge, and can't alone be used to generate real credit card numbers.

We'll use the sample card number 4567890001234518 as an example throughout this entry.

The first digit indicates the "industry type." For credit cards, this is either 3 (AmEx/Diners/JCB), 4 (Visa), 5 (Mastercard), or 6 (Novus/Discover), depending on the card type. All ISO-compliant cards respect this first digit so duplicate card numbers aren't generated.

The next-five digits usually indicate the bank id. For example, the bank id of our sample card number is 56789. Sometimes part of the bank id is used to further identify the type of card (so that one industry type digit can accomidate more than one type of card), and some large banks have more than one bank id. Some cards (mainly Novus/Discover, Amex, Diners, and JCB) use part of the bank id as the customer account number. Below is a table summarizing the industry type digit, valid bank id ranges, and total number length for each card type:

Card TypeIndustry Type DigitValid Bank ID RangeLength
Visa400000-9999913 or 16
Diners Club300000-05999
14 or 16
JCB Card352800-5800016

Keep in mind that this table may not be completely up-to-date, especially for card types with a relatively small range of bank ids.

The remaining digits (except for the last one) are the customer account number and are at the discretion of the card issuing bank. For debit cards, it is common (but not required) for all but the last digit of the customer account number to be your bank account number, and for the last digit to be a subaccount number, which is either sequential or random and can be changed if you lose your card and need a new number. For example, the bank account number of our sample card is 00012345, and the subaccount number is 1.

Finally, the last digit is the check digit, designed to ensure the card number was entered/read correctly. This digit is computed based on all other digits in the card number. The algorithm for computing the check digit is as follows:

Take every odd-placed digit4 6 8 0 0 2 4 1
.. and multiply it two8 12 16 0 0 4 8 2
Sum each digit of the result8+1+2+1+6+0+0+4+8+2 = 32
Take every even-placed digit except the check digit5 7 9 0 1 3 5
... and add them together5+7+9+0+1+3+5 = 30
Add the two sums together32 + 30 = 62
Take the 1s digit of the result and subtract it from 1010 - 2 = 8

Why are the odd-placed digits treated differently? The most common mistake when entering a card number is to swap two consecutive digits. By treating the odd digits differently, this ensures that the check digit will be different if two consecutive numbers are swapped, and thus, the error will be caught.

To guard against people generating numbers, there are several systems in place to ensure you are using an account number you are authorized to use. For example, the customer account number may contain random digits to ensure only a small percentage of randomly-generated card numbers are real. Even if you have a valid card number, you must get the expiration date right, or else the card will be declined. If you use your credit card online, often your billing address is verified, and sometimes you are asked for your CVV2/CVC2/CID number, located on the signature panel (or above the last four digits of an AmEx card), which is essentially random and cannot be guessed. If you use your card at a retail establishment, there are other safeguards. For example, for Visa and Mastercard cards, the first four digits of your card number are printed right above the first four embossed digits. Credit card terminals often ask the operator to enter the last four digits of the card number to ensure the card number encoded on the magnetic stripe matches the card number embossed. Finally, the magnetic stripe contains additional validation information that must be sent as-is to the card processor to prevent people from rewriting the magnetic stripe with a fake account number.
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.