The specification for credit card numbering is governed by the International Standards Organization (ISO/IEC 7812-1:1993) and the American National Standards Institute (ANSI X4.13). These organizations do not make their standards public. The following information comes from my experience in working with electronic commerce for more than 15 years.
Numbering is from left to right. Let's look at a credit card number so that you have visual context.
Major Industry Identifier (MII)
If the MII is 9, the next three digits of the issuer identifier are the 3-digit country codes defined in ISO 3166, and the remaining final two digits of the issuer identifier can be defined by the national standards body of the specified country in whatever way wished.
The first few digits can always be used to identify the credit card type. In the USA we tend to identify the card types as follows:
- Visa: 4xxxxxx
- Mastercard: 5xxxxx
- Discover: 6011xx, 644xxx, 65xxxx
- American Express: 3xxxx, 37xxxx
- Diner's Club and Carte Blanche: 300xxx-305xxx, 36xxxx, 38xxxx
- Visa and Visa Electron: 13 or 16
- Mastercard: 16
- Discover: 16
- American Express: 15
- Diner's Club (including enRoute, International, Blanche): 14
- Maestro: 12 to 19 (multi-national Debit Card)
- Laser: 16 to 19 (Ireland Debit Card)
- Switch: 16, 18 or 19 (United Kingdom Debit Card)
- Solo: 16, 18 or 19 (United Kingdom Debit Card)
- JCB: 15 or 16 (Japan Credit Bureau)
- China UnionPay: 16 (the only domestic bank card organization in the People's Republic of China)
Issuer Identification Number (IIN) or Bank Identification Number (BIN)
The first 6 digits of your credit card number (including the initial MII digit) form the Issuer Identifier Number or IIN. The IIN is also referred to as the Bank Identification Number or BIN. These digits identify which organization issued the credit card. You can lookup the issuing organization on the Internet using a BIN Database service ( https://www.bindb.com/bin-database.html ). In electronic commerce the BIN number can be very useful.
BIN databases typically show the type of card like Debit or Credit, brand of card (e.g. Visa, MasterCard, Discover, American Express, etc.), and level of card such as Classic, Standard, Gold, Platinum, and World Signia. The database contains other details about the card like the $300 card limit on the Tribute Mastercard or if the card is ATM Only, Cirrus, Electronic Only, Gift, Maestro, or Prepaid. Issuing bank, country ISO name, ISO A2 country code, and ISO A3 country code are also available.
Carding, a term used for a process to verify the validity of stolen card data, is typically picked up by gateway providers by identifying multiple transactions from a single IP address or too many transactions in a certain number of minutes. Carding is not really viable due to widespread use of additional data such as the billing address, the card's expiration date and/or the 3 to 4 digit Card Security Code/CVV. BIN attacks are no longer viable because credit card issuers randomly generate the card numbers. Identity theft via application fraud and account takeover is not detectable by the merchant. Card not present transaction fraud has been thwarted by use of the name on the card, expiration date and the Card Security Code/CVV. Other than identity theft, the single biggest area for fraud in 2011 is gift cards (many are purchased with stolen credit cards). We use every available technique to avoid fraud. All but installment transaction fraud is handled by the credit card gateway. We use BIN data to combat against installment transactions (e.g. shipping only 30-day trials or two/three pay offers).
As an example, we have a client that sells an item
as a 30-day trial at $10.95 for shipping and processing. If one pays $10.95, the company ships the $199 item. If the consumer decides to keep the product, they pay five easy payments of $39.80. Why do they sell this way? Because testing shows that this style of selling optimizes conversion. These days, it is not uncommon to be defrauded by individuals using gift cards. These individuals will order over and over again with slightly different names or addresses, receive the products, and then resell them on e-Bay. Because the consumer/fraudster used a gift card with only a $15 limit (enough for the customer to pay for shipping and get the product), subsequent charges fail, and the seller is unable to collect the five installment payments. This type of fraud is real. We've seen examples costing well over $125,000 per year.
Why not use the credit card gateway installment payment feature to ensure that sufficient funds are available? Because installment payments require additional notifications which lead to lower conversion and higher return activity. Why not use name and address algorithms to detect the fraud? We do. At best, the algorithms are difficult to program and are still very much imperfect. The number one way to protect against installment payment fraud is via the use of BIN lookup to automatically decline gift and prepaid credit cards.
We also use BIN data to match post-transaction or post-checkout offers to consumer types. Gold, Platninum and World Signia customers have better credit and higher incomes. They tend to be big spenders. Classic and Standard cardholders spend less. We use the BIN to trigger offers aimed at each demographic. Using the BIN this way can add needed dollars to your average ticket. If a customer logs into the commerce system or can be identified by a special cookie or Flash cookie then the BIN data can be used to augment the merchandising of the Web site.
Digits 7 to (final number minus 1) indicate the individual account identifier. The maximum length of a credit card number is 19 digits. Since the initial 6 digits of a credit card number are the issuer identifier, and the final digit is the check digit, this means that the maximum length of the account number field is 19 minus 7, or 12 digits. Each issuer therefore has a trillion (10 raised to the 12th power, or 1,000,000,000,000) possible account numbers. In practice all IIF number 3 4, 5, and 6 credit cards use 16 or less digits. Solo, Maestro, Laser and Switch use 18 and 19 digit numbers. These are European cards run over the Visa network.
The final digit of your credit card number is a check digit, akin to a checksum. The LUHN Formula, known also as a Mod 10 calculation, can be used to validate account numbers. The following steps are required to validate the primary account number.
Step 1: Double the value of alternate digits of the credit card number beginning with the second digit from the right (the first right-hand digit is the check digit).
Step 2: Add the individual digits comprising the products obtained in Step 1 to each of the unaffected digits in the original number.
Step 3: The total obtained in Step 2 must be a number ending in zero (30, 40, 50, etc.) for the account number to be validated.
The LUHN formula was designed to protect against accidental errors, not malicious attacks. Most credit cards and many government identification numbers use the algorithm as a simple method of distinguishing valid numbers from random digits. The LUHN algorithm will detect almost any single-digit error.
There you have it. The anatomy of a credit card number and how Dirigo uses the BIN in electronic commerce.