Anatomy of Credit Card Numbers
by Michael Gilleland, Merriam Park Software
Introduction
Major Industry Identifier
Issuer Identifier
Account Number
Check Digit
Examples
Introduction
This is not an essay on credit cards per se. If that's what you're
looking for, I recommend Joe Ziegler's excellent series
Everything You
Ever Wanted to Know about Credit Cards. This essay has a narrower focus --
to explore the anatomy of your credit card number, and to provide Java source
code which determines if a given credit card number might be valid.
Specifications for credit card numbering have been drawn up by the
International Standards Organization (ISO/IEC 7812-1:1993) and the American
National Standards Institute (ANSI X4.13). These eminent organizations refuse to
make their publications freely available on-line, and so the following
information on the format of credit card numbers comes largely from an Internet
Engineering Task Force (IETF) draft by Donald E. Eastlake 3rd, "ISO 7812/7816
Numbers and the Domain Name System (DNS)" (draft-eastlake-card-map-08, expires
August 2001), available at the time of this writing at
http://www.globecom.net/ietf/draft/draft-eastlake-card-map-08.html. I have not
linked to this URL, because individual versions of IETF drafts are notoriously
ephemeral.
Digit numbering in this essay is left to right. The "first" digit,
therefore, means the leftmost digit.
Major Industry Identifier
The first digit of your credit card
number is the Major Industry Identifier (MII), which represents the category of
entity which issued your credit card. Different MII digits represent the
following issuer categories:
| MII Digit Value |
Issuer Category |
| 0 |
ISO/TC 68 and
other industry assignments |
| 1 |
Airlines |
| 2 |
Airlines and other
industry assignments |
| 3 |
Travel and
entertainment |
| 4 |
Banking and
financial |
| 5 |
Banking and
financial |
| 6 |
Merchandizing and
banking |
| 7 |
Petroleum |
| 8 |
Telecommunications
and other industry assignments |
| 9 |
National
assignment |
For example, American Express, Diner's Club,
and Carte Blanche are in the travel and entertainment category, VISA,
MasterCard, and Discover are in the banking and financial category, and SUN Oil
and Exxon are in the petroleum category.
Issuer Identifier
The first 6 digits of your credit card
number (including the initial MII digit) form the issuer identifier. This means
that the total number of possible issuers is a million (10 raised to the sixth
power, or 1,000,000).
Some of the better known issuer identifiers
are listed in the following table:
| Issuer |
Identifier |
Card Number Length |
| Diner's Club/Carte
Blanche |
300xxx-305xxx,
36xxxx, 38xxxx |
14 |
| American Express |
34xxxx, 37xxxx |
15 |
| VISA |
4xxxxx |
13, 16 |
| MasterCard |
51xxxx-55xxxx |
16 |
| Discover |
6011xx |
16 |
If the MII digit is 9, then the next three
digits of the issuer identifier are the 3-digit country codes defined in ISO
3166, and the remaining final two digits of the issuer identifier can be defined
by the national standards body of the specified country in whatever way it
wishes.
Digits 7 to (n - 1) of your credit card
number are your individual account identifier. The maximum length of a credit
card number is 19 digits. Since the initial 6 digits of a credit card number are
the issuer identifier, and the final digit is the check digit, this means that
the maximum length of the account number field is 19 - 7, or 12 digits. Each
issuer therefore has a trillion (10 raised to the 12th power, or
1,000,000,000,000) possible account numbers.
If we consider the large number of
potential customers and usurious interest rates charged by issuers, there is
obviously a lot of money to be made in the credit card industry. In more
civilized ages, people believed that usury was a grievous offense contrary to
nature or a mortal sin, not an acceptable business practice (Aristotle, Politics
1.10; St. Thomas Aquinas, De Malo 13.4; Dante, Inferno 11.94-111; etc.).
The final digit of your credit card
number is a check digit, akin to a checksum. The algorithm used to arrive at the
proper check digit is called the Luhn algorithm, after IBM scientist Hans Peter
Luhn (1896-1964), who was awarded US Patent 2950048 ("Computer for Verifying
Numbers") for the technique in 1960. For details about Luhn's life, see
Thanks to Aleksandar Janicijevic for
directing me to information about H.P. Luhn.
The most succint description of the Luhn
algorithm I have found comes from the hacker publication
phrack 47-8: "For a card
with an even number of digits, double every odd numbered digit and subtract 9 if
the product is greater than 9. Add up all the even digits as well as the
doubled-odd digits, and the result must be a multiple of 10 or it's not a valid
card. If the card has an odd number of digits, perform the same addition
doubling the even numbered digits instead."
The bit about even and odd is a little
confusing. The main point is that you don't want to double the check digit, and
this can easily be done by starting with the check digit, going backwards, and
doubling every other digit. See the
source code below for details.
These examples are drawn from junk mail I
received from credit card issuers in August 2001. Some of this junk mail
contained glossy pictures of credit cards, and the sample numbers come directly
from two of these pictures.
4408 0412 3456 7890
The first credit card offer showed a picture
of a card with the number 4408 0412 3456 7890.
The Major Industry Identifier (MII) is 4
(banking and financial), the issuer identifier is 440804 (a VISA partner), the
account number is 123456789, and the check digit is 0.
Let's apply the Luhn check to 4408 0412 3456
7890. In the following table,
- The top row is the
original number.
- In the second row,
we multiply alternate digits by 2. Don't multiply the check digit by 2.
- In the third row, we
force all digits to be less than 10, by subtracting 9 where necessary.
- The bottom row
contains the digits to be added together.
| 4 |
4 |
0 |
8 |
0 |
4 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
0 |
| 4 x
2 = 8 |
4 |
0 x
2 = 0 |
8 |
0 x
2 = 0 |
4 |
1 x
2 = 2 |
2 |
3 x
2 = 6 |
4 |
5 x
2 = 10 |
6 |
7 x
2 = 14 |
8 |
9 x
2 = 18 |
0 |
| 8 |
4 |
0 |
8 |
0 |
4 |
2 |
2 |
6 |
4 |
10
- 9 = 1 |
6 |
14
- 9 = 5 |
8 |
18
- 9 = 9 |
0 |
| 8 |
4 |
0 |
8 |
0 |
4 |
2 |
2 |
6 |
4 |
1 |
6 |
5 |
8 |
9 |
0 |
If we add all of the digits in the bottom row
together, we get 67, which is not a multiple of 10, and therefore we conclude
that the number 4408 0412 3456 7890 is an invalid credit card number.
By changing the check digit from 0 to 3, we
arrive at the number 4408 0412 3456 7893, which does pass the Luhn check, since
the sum of the digits in the bottom row would be 70, which is divisible by 10.
4408 0412 3456 7893 is, on the face of it, a valid credit card number.
4417 1234 5678 9112
The second credit card offer showed a picture
of a card with the number 4417 1234 5678 9112.
The Major Industry Identifier (MII) is 4
(banking and financial), the issuer identifier is 441712 (a VISA partner), the
account number is 345678911, and the check digit is 2.
Let's apply the Luhn check to 4417 1234 5678
9112, as we did in the previous example.
| 4 |
4 |
1 |
7 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
1 |
1 |
2 |
| 4 x
2 = 8 |
4 |
1 x
2 = 2 |
7 |
1 x
2 = 2 |
2 |
3 x
2 = 6 |
4 |
5 x
2 = 10 |
6 |
7 x
2 = 14 |
8 |
9 x
2 = 18 |
1 |
1 x
2 = 2 |
2 |
| 8 |
4 |
2 |
7 |
2 |
2 |
6 |
4 |
10
- 9 = 1 |
6 |
14
- 9 = 5 |
8 |
18
- 9 = 9 |
1 |
2 |
2 |
| 8 |
4 |
2 |
7 |
2 |
2 |
6 |
4 |
1 |
6 |
5 |
8 |
9 |
1 |
2 |
2 |
If we add all of the digits in the bottom row
together, we get 69, which is not a multiple of 10, and therefore we conclude
that the number 4417 1234 5678 9112 is an invalid credit card number.
By changing the check digit from 2 to 3, we
arrive at the number 4417 1234 5678 9113, which does pass the Luhn check, since
the sum of the digits in the bottom row would be 70, which is divisible by 10.
4417 1234 5678 9113 is, on the face of it, a valid credit card number.
Warning
These two credit card offers contained
pictures with numbers which the Luhn check proved to be invalid. A change to
their check digits made them ostensibly valid. But if I were you, I wouldn't try
to charge anything with them
|
