I had occasion to cancel a credit card and get a new one recently, which made me look at and think about credit card numbers. I suppose that I'd always thought of them as a more or less random string of integers, maximizing the number of such strings that would be available to banks etc. (10 X 10 X 10 etc. for each integer place…) and making it just that bit more difficult for criminals to suss out a number.
Turns out I couldn't be more wrong: credit card (and bank card) numbers are highly structured entities and only make use of "randomness" in a small way. They are governed by ISO 7812, which applies to magnetic stripe cards of all sorts.
The first regularity is the "major industry identifier," the first digit of the card number. 4 and 5 are reserved for the banking and financial industry. (1 is for airlines, 3 is for travel — which includes Amex — 7 is for petroleum…).
Then comes the 5 digit "issuer identifier number." In theory this is supposed to be secret, known only to those inside the industry. But as Wikipedia points out, it would be easy to gather examples from a number of cards and deduce a company's IIN.
Third is the card holder's account number, running from digit 7 to the next to the last digit, up to a maximum of 12 digits. This is the most nearly "random" part, but even here there is order, which is revealed by the…
Last digit, which is a "check digit." This end number is calculated by using the Luhn algorithm, also known as modulus 10. I am far too innumerate to give you the full mathematical model here. But the "simple" explanation runs as follows, and is taken directly from Wikipedia:
- Counting from rightmost digit (which is the check digit) and moving left, Double the value of every alternate digit. For any digits that thus become 10 or more, take the two numbers and add them together. For example, 1111 becomes 2121, while 8763 becomes 7733 (from 2×6=12 → 1+2=3 and 2×8=16 → 1+6=7).
- Add all these digits together. For example, if 1111 becomes 2121, then 2+1+2+1 is 6; and 8763 becomes 7733, so 7+7+3+3 is 20.
- If the total ends in 0 (put another way, if the total modulus 10 is congruent to 0), then the number is valid according to the Luhn formula; else it is not valid. So, 1111 is not valid (as shown above, it comes out to 6), while 8763 is valid (as shown above, it comes out to 20).
Now this isn't done, as you might suppose, as some sort of cryptographic effort at security; the real reason is to enable a check that in recounting the number none of the digits have been transposed. It would also, I guess, catch the odd fraudster who, like me, wouldn't be able to work the Luhn algorithm and come up with a valid-seeming account number.
Interestingly, the Luhn algorithm is also used to check transmitted Canadian social insurance numbers.
