Did you know your credit card number is the result of a complex algorithm designed to deter fraud?
If you've ever used your credit card to make a payment on PayPal before, you may have noticed the site automatically knows whether your credit card is a Visa, MasterCard or American Express. But how does it know?
Your credit card number isn't random. The numbers form a pattern which can reveal the card payment system (Visa, MasterCard etc), currency and the bank or financial institution which issued the card.
Credit card numbers are usually sixteen digits and are governed by an international agreement called the ISO/IEC 7812 standard. The standard allows credit card payment systems and issuing institutions to allocate credit card numbers that will be globally accepted and prevents the possibility of two financial institutions in different countries issuing cards with identical numbers.
The first digit of your card is called the Major Industry Identifier (MII) and it denotes the broad industry of the issuer. For example, credit cards issued by airlines always begin with a one, cards issued by petroleum companies always begin with a seven and travel and entertainment cards such as American Express and Diners Club begin with a three. Banking and financial institutions are either a four (if the card payment system is Visa) or five (is the payment system is MasterCard). This is how PayPal knows what type of card you have.
The first six digits (including the MII) are called the Issuer Identification Number (IIN). The IIN is a unique number assigned to your bank or financial institution. Every credit card your bank issues (of the same payment system) will have the same six-digit IIN. If your bank issues both Visa and MasterCard cards, the IIN will be different for each type.
The remaining numbers, excluding the final digit, form your account number. On a standard sixteen digit credit card number, the account number will be nine digits. On some cards, the second-to-last number indicates the card index on the account (e.g. if you have multiple credit cards linked to the same account, the first will have an index of zero, the next will have an index of one etc).
The final digit is a validity check code. It is found by using a procedure called the Luhn algorithm, named after IBM computer scientist Hans Peter Luhn. The algorithm is fairly simple: For a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result must be a multiple of 10 or it's not a valid card. If the card has an odd number of digits, perform the same addition doubling the even numbered digits instead.
The check digit is valuable for a number of reasons: if you accidentally mis-type a digit of your card number, it won't validate because the check digit will no longer be a multiple of ten. Also, without a check digit, if the account numbers issued by the bank were sequential, you could easily just add or subtract a digit from your own and be confident the result was a valid credit card number.
In the early days of e-commerce, fraudsters used Luhn's algorithm and known IINs to write credit card number generators (computer programs which could generate a seemingly-valid credit card number). The number did not necessarily correspond to a real credit card, but early e-commerce sites had no other way of determining whether a credit card number was real. Nowadays, e-commerce sites can query the payment systems directly to ensure the authenticity of a number.
