Anatomy of Credit Card Numbers
by Michael Gilleland, Merriam Park Software Introduction
Major Industry Identifier
Java Source Code
This is not an essay on credit cards per se. If that's what you're looking for, I recommend Joe Ziegler's excellent series Everything You Ever Wanted to Know about Credit Cards. This essay has a narrower focus -- to explore the anatomy of your credit card number, and to provide Java source code which determines if a given credit card number might be valid.
Specifications for credit card numbering have been drawn up by the International Standards Organization (ISO/IEC 7812-1:1993) and the American National Standards Institute (ANSI X4.13). These eminent organizations refuse to make their publications freely available on-line, and so the following information on the format of credit card numbers comes largely from an Internet Engineering Task Force (IETF) draft by Donald E. Eastlake 3rd, "ISO 7812/7816 Numbers and the Domain Name System (DNS)" (draft-eastlake-card-map-08, expires August 2001), available at the time of this writing at http://www.globecom.net/ietf/draft/d...rd-map-08.html.
I have not linked to this URL, because individual versions of IETF drafts are notoriously ephemeral.
Digit numbering in this essay is left to right. The "first" digit, therefore, means the leftmost digit.
Major Industry Identifier
The first digit of your credit card number is the Major Industry Identifier (MII), which represents the category of entity which issued your credit card. Different MII digits represent the following issuer categories:
MII Digit ValueIssuer Category 0ISO/TC 68 and other industry assignments 1Airlines 2Airlines and other industry assignments 3Travel and entertainment 4Banking and financial 5Banking and financial 6Merchandizing and banking 7Petroleum 8Telecommunications and other industry assignments 9National assignment
For example, American Express, Diner's Club, and Carte Blanche are in the travel and entertainment category, VISA, MasterCard, and Discover are in the banking and financial category, and SUN Oil and Exxon are in the petroleum category.
The first 6 digits of your credit card number (including the initial MII digit) form the issuer identifier. This means that the total number of possible issuers is a million (10 raised to the sixth power, or 1,000,000).
Some of the better known issuer identifiers are listed in the following table:
IssuerIdentifierCard Number Length Diner's Club/Carte Blanche 300xxx-305xxx,
36xxxx, 38xxxx 14 American Express 34xxxx, 37xxxx 15 VISA 4xxxxx 13, 16 MasterCard 51xxxx-55xxxx 16 Discover 6011xx 16
If the MII digit is 9, then the next three digits of the issuer identifier are the 3-digit country codes defined in ISO 3166, and the remaining final two digits of the issuer identifier can be defined by the national standards body of the specified country in whatever way it wishes.
Digits 7 to (n - 1) of your credit card number are your individual account identifier. The maximum length of a credit card number is 19 digits. Since the initial 6 digits of a credit card number are the issuer identifier, and the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. Each issuer therefore has a trillion (10 raised to the 12th power, or 1,000,000,000,000) possible account numbers.
If we consider the large number of potential customers and usurious interest rates charged by issuers, there is obviously a lot of money to be made in the credit card industry. In more civilized ages, people believed that usury was a grievous offense contrary to nature or a mortal sin, not an acceptable business practice (Aristotle, Politics 1.10; St. Thomas Aquinas, De Malo 13.4; Dante, Inferno 11.94-111; etc.).
The final digit of your credit card number is a check digit, akin to a checksum. The algorithm used to arrive at the proper check digit is called the Luhn algorithm, after IBM scientist Hans Peter Luhn (1896-1964), who was awarded US Patent 2950048 ("Computer for Verifying Numbers") for the technique in 1960. For details about Luhn's life, see
* Biography on the American Society for Information Science and Technology's Web site, at http://www.asis.org/Features/Pioneers/luhn.htm.
* Notes compiled by Susan K. Soy on "H.P. Luhn and Automatic Indexing" at http://www.gslis.utexas.edu/~ssoy/or...ng/l391d2c.htm
Thanks to Aleksandar Janicijevic for directing me to information about H.P. Luhn.
The most succint description of the Luhn algorithm I have found comes from the hacker publication phrack 47-8: "For a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result must be a multiple of 10 or it's not a valid card. If the card has an odd number of digits, perform the same addition doubling the even numbered digits instead."
The bit about even and odd is a little confusing. The main point is that you don't want to double the check digit, and this can easily be done by starting with the check digit, going backwards, and doubling every other digit. See the source code below for details.
These examples are drawn from junk mail I received from credit card issuers in August 2001. Some of this junk mail contained glossy pictures of credit cards, and the sample numbers come directly from two of these pictures.
4408 0412 3456 7890
The first credit card offer showed a picture of a card with the number 4408 0412 3456 7890.
The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 440804 (a VISA partner), the account number is 123456789, and the check digit is 0.
Let's apply the Luhn check to 4408 0412 3456 7890. In the following table,
* The top row is the original number.
* In the second row, we multiply alternate digits by 2. Don't multiply the check digit by 2.
* In the third row, we force all digits to be less than 10, by subtracting 9 where necessary.
* The bottom row contains the digits to be added together.
4 4 0 8 0 4 1 2 3 4 5 6 7 8 9 0 4 x 2 = 8 4 0 x 2 = 0 8 0 x 2 = 0 4 1 x 2 = 2 2 3 x 2 = 6 4 5 x 2 = 10 6 7 x 2 = 14 8 9 x 2 = 18 0 8 4 0 8 0 4 2 2 6 4 10 - 9 = 1 6 14 - 9 = 5 8 18 - 9 = 9 0 8 4 0 8 0 4 2 2 6 4 1 6 5 8 9 0 If we add all of the digits in the bottom row together, we get 67, which is not a multiple of 10, and therefore we conclude that the number 4408 0412 3456 7890 is an invalid credit card number.
By changing the check digit from 0 to 3, we arrive at the number 4408 0412 3456 7893, which does pass the Luhn check, since the sum of the digits in the bottom row would be 70, which is divisible by 10. 4408 0412 3456 7893 is, on the face of it, a valid credit card number.
4417 1234 5678 9112
The second credit card offer showed a picture of a card with the number 4417 1234 5678 9112.
The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 441712 (a VISA partner), the account number is 345678911, and the check digit is 2.
Let's apply the Luhn check to 4417 1234 5678 9112, as we did in the previous example.
4 4 1 7 1 2 3 4 5 6 7 8 9 1 1 2 4 x 2 = 8 4 1 x 2 = 2 7 1 x 2 = 2 2 3 x 2 = 6 4 5 x 2 = 10 6 7 x 2 = 14 8 9 x 2 = 18 1 1 x 2 = 2 2 8 4 2
CVVs, CVV2s, CVCs, and Indent CVCs are 3-digit Card Verification Values or Card Verification Codes that are all calculated using the same CVV algorithm. These values are required by payment systems such as Visa and MasterCard to authenticate their credit or debit cards. Different names are used to refer to the values depending on the particular payment system, the location of the value on the card, and the parameters passed to the CVV algorithm.
To calculate a 3-digit CVV, the CVV algorithm requires a Primary Account Number (PAN), a 4-digit Expiration Date, a 3-digit Service Code, and a pair of DES keys (CVKs).
Besides the obvious CVV variations provided by different PANs and expiration dates, most card issuers will use different CVKs for different batches of cards. Cards can be grouped by bank, by ATM network, or by other means of identifying a certain group of cards. Cards in the same batch will often use the same service code. This service code to the CVV algorithmis usually non-zero. One CVV variant, now commonly called CVV2 (Visa), or Indent CVC (MasterCard), uses '000' as the service code parameter to the CVV algorithm. Sometimes a card will have both a traditional CVV and a CVV2.
Another variation to the CVV algorithm can be introduced by changing the format of the expiration date. While the date is always the concatenation of the 2-digit month (MM) andlast 2 digits of the year (YY), it can be in either YYMM or MMYY formats. For instance, Visa CVV2s are usually calculated using the YYMM format.
A credit card number must be from 13 to 16 digits long. The last digit of the number is the check digit. That number is calculated from an algorithm (called the Luhn formula or MOD 10) on the other numbers. This is to spot typos when a user enters a number, and I assume was to allow detecting an error reading the magnetic stripe when a card is swiped.
The MOD 10 check does not offer security, it offers error detection. Think of it as fullfilling the same role as a CRC in software.
To calculate the check digit:
1. First drop the last digit from the card number (because that’s what we are trying to calculate)
2. Reverse the number
3. Multiply all the digits in odd positions (The first digit, the third digit, etc) by 2.
4. If any one is greater than 9 subtract 9 from it.
5. Sum those numbers up
6. Add the even numbered digits (the second, fourth, etc) to the number you got in the previous step
7. The check digit is the amount you need to add to that number to make a multiple of 10. So if you got 68 in the previous step the check digit would be 2. You can calculate the digit in code using checkdigit = ((sum / 10 + 1) * 10 – sum) % 10
For an example of this in practice download the code to the credit card number generator.
Credit card numbers are a special type of ISO 7812 numbers.