Credit and Chargecard Account Numbering Formats There are several different types of cards, but for our purposes they can be batched into 2 categories. There are credit cards, like Visa and Mastercard, and in this group we shall also include chargecards, like American Express, Diners Club and Carte Blanche. The second category comprises entertainment cards, also known as calling cards, which includes corporate cards. There are many ways to recognise the type of card used, from a transaction voucher with only the cards embossed details imprinted on it. Of course, if the carder has the card physically in his possession, or has seen it, there is no problem in determining which type of card the numbers refer to. The following card numbering formats run according to this schedule: 5xxx-xxxx-xxxx-xxxx means four sequences of four digits each, with the first digit of the first sequence being a 5. 4xxx-xxx-xxx-xxx means four sequences, the first of four digits and the other three of three digits each, with the first digit of the first sequence being a 4. Understanding this format makes it easier for you to determine what your credit card numbers actually represent, and how mail order retailers determine whether the number given to them over the phone is legitimate. Now you should be able to sleep easier at night, knowing that the banks have their card number verification procedures in order. Note: With the possible exception of First Bank Systems, the final digit in all credit card account numbers is known as the checksum digit. Note: Each issuing bank have their own unique 4 digit number, which is represented by the first 4 digits of the card number. As well as being embossed as part of the card number, the issuing banks 4-digit number is also printed onto the card, usually above their corresponding embossed numbers. If these two sequences do not match, you are holding a sloppy counterfeit. Chargecards American Express (begins with a 3 and have 15 digits, in sequences of 4, 6 and 5) 37xx xxxxxx xxxxx MM/Y1 THRU MM/Y2 JOE SHMOE 3xxxxx xxxxxxxx xxxxxxxx (Gold) Notes: The American Express Gold Card is covered for a minimum of 8,000, even if the card holder is broke. American Express tend to lead full scale investigations when their cards are misused. Diners Club 30xxx xxxx xxxxx 31xxx xxxx xxxxx 35xxx xxxx xxxxx 36xxx xxxx xxxxx Carte Blanche 38xxx xxxx xxxxx Discovers (fairly rare in the UK, but gaining ground, slowly) 6011 xxxx xxxx xxxx. JCB (Japanese Credit Bureau. Up-and-coming, especially in Asia) 35xx xxxx xxxx xxxx Credit Cards VISA are the most commonly used cards in the world, being more widely circulated than any other organisations, and accepted almost everywhere. Visa numbers always begin with a 4, and are either 13 or 16 digits long. Visa expiry dates are usually between 2 and 3 years after the date of issue. 4xxx xxx xxx xxxx MM/Y1 MM/Y2 * JOE SHMOE 4xxx xxxx xxxx xxxx MM/Y1 MM/Y2 * JOE SHMOE Notes: The first date is when the card was issued and the second is when the card expires. A cv (represented by an asterisk) after or next to the expiry date denotes an ordinary card, while a pv denotes a preferred customer and v is a Preferred Card. Classic Cards are the most recent and difficult to counterfeit to a passable standard. Preferred Cards are much safer to use and not surprisingly preferred by fraudsters; this may be why the bank decided to call them Preferred Cards. When verifying a Visa Premier Card, the verification centre will always ask for the name of the cardholder. Premier Cards are Classic Cards with Preferred coverage. Common Premier card numbers are: 4448 020 xxx xxx, 4254 5123 6000 xxxx, and 4254 5123 8500 xxxx. MASTERCARD/ACCESS/EUROCARD - all part of the same conglomerate using different names. They are the second-most common credit cards in circulation. Their numbers always begin with a 5 and are always 16 digits long, in four sequences of four digits. 5xxx xxxx xxxx xxxx. MM-Y1 MM/Y2 JOE SHMOE Notes: The digits in the second number-sequence may be asked for during the verification process if the transaction is done by telephone or where the card is not physically presented at the point of sale. The first date (MM/Y1) is when the card was issued and the second (MM/Y2) is when the card expires. The most frequent number combination used is 5424 1800 xxxx xxxx. There are many of these cards in circulation, and also many on wanted lists which are frequently circulated throughout the world. A MasterCard Gold card simply means that the credit limit is good for at least 5,000, while an ordinary Mastercard usually has a pre-defined credit limit of anything from 500 to 4,000. An asterix may signify a gold card, but this is not a reliable method as it depends on when the card was issued. American Express (started life in 1995):37xx xxxxxx 11xxx Bank of America Mastercard: 5xxx-xxxx-xxxx-xxxx Visa: 4xxx-xxxx-xxxx-xxxx 4024-0046-xxxx-xxxx (may be cv or pv) 4024-0807-xxxx-xxxx (may be cv or pv) 4024-0238-xxxx-xxxx (gold card) Citibank, or Citicorp (the most common credit card in the United States) Mastercard: 5218-xxxx-xxxx-xxxx Mastercard: 5424-18xx-xxxx-xxxx Visa: 4128-xxx-xxx-xxx Visa: 4271-38xx-xxxx-xxxx 4271-382A-xxxx-xxxx (Citibank Preferred Visa. The first 7 digits are the bank ID number. The 8th digit denotes the cardholders status, being the amount of credit available on the card. The lower the number, the higher the credit.) Next, the notorious 4128 otherwise known as: 4128-xxx-xxx-xxx (Citibank Classic Visa, credit limit likely only up to $1,000) Computer Communications Mastercard: 518x-xxxx-xxxx-xxxx Visa: 4xxx-xxxx-xxxx-xxxx First Direct Visa: 4543-xxxx-xxxx-xxxx IBM Credit Union (extremely risky to use fraudulently without prior and thorough research, but that done and the cards will usually cover very large purchases) 4712 1250 xxxx xxxx MBNA Bank Visa: 4916-xxxx-xxxx-xxxx National Westminster Bank Mastercard: 5434-xxxx-xxxx-xxxx Credit Card Algorithms The credit card companies (Visa, MC, and American Express) issue card numbers conforming to a specific checksum algorithm. Every card number conforms to this checksum, although this does not mean that every card number passing the checksum is valid and can be used. It means only that such a card number is valid in that it may be issued by the credit card company - not that it actually has been issued! The checksum test is often used by companies accepting credit cards for mail order or other goods and services where the card is not physically presented at the time of the transaction. For some companies, verifying the given card numbers validity is only the first step of the procedure, the next step being to obtain a verification from the issuing bank. Other companies stop at checking only the first sequence of the card numbers digits with a database, to see if it is a valid bank, and also the number of digits in the cards account number. This is a nominal double-check, in case the card number was miss-heard or entered wrongly by the person taking the order. These tests help to weed out customers who simply conjure up card numbers, a common attempt at fraud by the uninitiated. Only, if one were to try to fabricate an Amex number by using the right format (starting with a 3, and 15 digits long), only about 1 in 100 random guesses would pass the checksum algorithm. Now we have to ask the obvious question. Why do companies use the algorithm for verification instead of doing an actual transaction check? First, its much faster when done by computer, and then it costs nothing. Banks and credit card companies used to charge merchants each time they called in to verify a card number, and some still do, so if a merchant is in a type of business prone to receiving lots of phoney numbers, verification can turn out to be a costly pastime. It is widely known, for example, that on-line information services and Internet access providers (i.e., CompuServe, Genie, Demon, Cix, etc.) use this method when processing new customers by phone. Most transactions between credit card companies and merchants take place on a monthly, weekly, or bi-weekly basis. Bulk transactions work out less expensive to the merchants, and a merchant will often take the card number from a customer, run it through the algorithm for verification and debit the card accordingly, either immediately or at the end of their internal accounting period. In some situations this can be used to the fraudsters advantage. Here is a technique used by fraudsters to quickly verify credit card account numbers without having to call up the credit card company and risk leaving a trail. Some telephone retail services use this same algorithm exclusively, as a half-measure, if they do not have a direct link to card company computers and need to verify numbers as they are called in by customers. In some cases they already have the telephone number from which the call originated, using caller-ID, so they dont feel it is necessary to do a complete credit check. I often wonder if they have ever heard of payphones. This is how the basic algorithm works. After the format is checked (correct first digit and correct number of digits), a 21212121... weighing scheme is used to check the card number. For the uninitiated, we have included what is known as a Luhn Check Digit Routine (appendix); this was written in Pascal, a computer language. But for the computer literate, here is the English pseudocode: check equals 0 go from first digit to last digit product equals value of current digit if digit position from end is odd then multiply product by 2 if product is 10 or greater then subtract 9 from product add product to check end loop if check is divisible by 10, then card number has passed the checksum test The Checksum Digit Now we know that the one thing which all credit cards have in common is that their checksum digit is always the last digit of the card number. The checksum digit is generated by the computer at the time of issue, and is also verified whenever the card is used or verified by an electronic medium. If the last digit is incorrect, the card is automatically unacceptable. There are several computer programmes and routines which can be used to validate a cards checksum, and these can also be used in conjunction with other easy-to-discover information to produce entirely fictitious yet valid card numbers.The following procedures work for all types of credit cards and most chargecards (also known as entertainment, or corporate cards). A real live Pascal subroutine is included at the end of this section, but for those who cant be bothered to type it in, this is how it works. For Visa, Mastercard, American Express, Diners Club, Carte Blanche, Discovers and JCB, try the following procedure with your own card. This is known as modular-10 ger, or mod-10 ger for short. Weight #1: 1212121212121212 (for Visa, Amex, and Diners) Weight #2: 2121212121212121 (for Mastercard, Discovers, and JCB) Example One 4444 0041 3001 128? Visa card x1212 1212 1212 121 Weight #1 ------------------------- 4848 0042 3002 148 result of multiplication 4+8+4+8+0+0+4+2+3+0+0+2+1+4+8 = 48 add together 4+8 = 12add the digits of the result together 12x10 = 120 multiply by 10 120-48 = 72 subtract from first result 72 mod 10 = 2 result modular 10, equals the checksum digit, or the last digit of the account number Example Two 5555 0125 1500 058? MasterCard x2121 2121 2121 212- weight #2 ------------------------ 1515 0145 2500 057 result of multiplication. Confused? Look at the 15th digit, 8 x 2 should be 16 but adding 1+6 gets you to 7. 1+5+1+5+0+1+4+5+2+5+0+0+0+5+7 = 41 result of addition 4+1 = 5 add the digits together 5x10 = 50 multiply by 10 50-41 = 9 subtract first result 9 mod 10 = 9 result modular 10, equals the checksum digit, or the last digit of the account number All they have to remember is to use the correct weight for the specific card. The rest is easy. If they want to make a valid AMEX card, they can use the above method. There are several other methods on producing valid AMEX card numbers, not least by using cancellation bulletins, also known as hotlists, which are available from most friendly retailers and often found discarded amongst normal commercial waste. Alternatively, they might use what is fabulously known as Saturdays Knight, after a young man who seems to understand such things. Here are a couple of examples of Saturdays Knights technique in action: Example: 37xx xx xxxx x111x The 37 will always be there for AMEX cards and the 111 will be the format to look for. Everything else will be the same. 37xx xxxxxx x101x Add 1 to the 14th digit and subtract 2 from the 15th digit. If its 0 it means 10, otherwise everything else will be the same. +1-2 37xx xx xxxx xx000 Add 1 to the 14th digit and subtract 2 from the 15th digit +1-2 37xx xx xxxx x100x Add 1 to the 12th digit and subtract 2 from the 15th digit. +1 -2 37xx xx xxxx x102x Convert the 102 to 201. 201 37xx xx xxxx x101x Subtract 1 from the 14th digit and add 2 to the 15th digit. -1+2 37xx xx xxxx x100x Add 2 to the 9th digit, add 4 to the 11th digit and add 4 to the 15th digit. +2 +4 +4 Luhn Check Digit Routine Credit cards use the Luhn Check Digit Routine. The main purpose of this routine, or algorithm, is to detect data entry errors, but it does double duty here as a weak security tool.The Luhn Check Digit Algorithm is a computer programme used by fraudsters and phantom credit card users, and others, to ch6eck the validity of a credit card. It only checks to see if a particular number is valid for issue, rather than if it actually has been. Briefly, for a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result should be a multiple of 10, otherwise it's not a valid card. If the card has an odd number of digits perform the same addition, but this time doubling the even numbered digits instead. Other popular programmes among phantom credit card users are CCMaster, for PC, or Cardit for Apple Mac. These programmes also check only the validity of a credit card and generate hundreds of additional credit card numbers, although it must be made clear that the generated numbers 7do not relate to actual cards in circulation but only to valid card numbers. We cannot give credit to the person who actually wrote this routine, as nobody seems to know who it was; many people have just replaced the original writers name with their own. The following routine is written in Pascal, and used by fraudsters to verify the checksum digit on Visa and Mastercards. WEIGHT$=2121212121212121 WLEN$=LEN(WEIGHT$) CLEN=LEN(CC) (* CC = CREDIT CARD NUMBER) CK.DIGIT=CC[1] CNBR=CC[1,CLEN-1] CNBR.LEN=CLEN-1 RESULT=0 WI=CNBR.LEN WI=WLEN$ FOR IX=CNBR.LEN TO 1 STEP -1 PRODUCT=CNBR[X,1] * WEIGHT$[WI,1] FOR IDX2=1 TO LEN(PRODUCT) RESULT+=PRODUCT[IDX2,1] NEXT IDX2 WI-=1 NEXT IX MULTIPLE.OF.TEN=(INT(RESULT/10)+(MOD(RESULT,10) GT 0) * 10 TEMP.CHECK.DIGIT=MULTIPLE.OF.TEN-RESULT CC=(TEMP.CHECK.DIGIT EQ CK.DIGIT) RETURNZNDSET.HR06*DSETh.HR 06*FNTMCUTSDSUM& Performa UserHDNISTYLd @STYLRRRRRRRRB : 9 F HASH $& & L:Qhjazo}Bod CHARR " :HASH R CELLR"HASH ^ GRPHR"HASHl RULRRe@(HASH@& LKUP $NAMEDefault Default SSHeaderBodyFooterFootnoteFootnote Index DFNTM HelveticaGenevaGenevaCourierETBL@FNTMNCUTSNDSUMNHDNINSTYLNETBLV