This is not an essay on credit cards per se. If that's what you're looking for, I recommend Joe Ziegler's excellent series "Everything You Ever Wanted to Know about Credit Cards". This essay has a narrower focus -- to explore the anatomy of your credit card number, and to provide Java source code which determines if a given credit card number might be valid.

Specifications for credit card numbering have been drawn up by the International Standards Organization (ISO/IEC 7812-1:1993) and the American National Standards Institute (ANSI X4.13). These eminent organizations refuse to make their publications freely available on-line, and so the following information on the format of credit card numbers comes largely from an Internet Engineering Task Force (IETF) draft by Donald E. Eastlake 3rd, "ISO 7812/7816 Numbers and the Domain Name System (DNS)" (draft-eastlake-card-map-08, expires August 2001), available at the time of this writing at http://www.globecom.net/ietf/draft/draft-eastlake-card-map-08.html. I have not linked to this URL, because individual versions of IETF drafts are notoriously ephemeral.

Digit numbering in this essay is left to right. The "first" digit, therefore, means the leftmost digit.

The **first digit** of your credit card number is the Major Industry Identifier
(MII), which represents the category of entity which issued your credit card.
Different MII digits represent the following issuer categories:

MII Digit Value | Issuer Category |
---|---|

0 | ISO/TC 68 and other industry assignments |

1 | Airlines |

2 | Airlines and other industry assignments |

3 | Travel and entertainment |

4 | Banking and financial |

5 | Banking and financial |

6 | Merchandizing and banking |

7 | Petroleum |

8 | Telecommunications and other industry assignments |

9 | National assignment |

For example, American Express, Diner's Club, and Carte Blanche are in the travel and entertainment category, VISA, MasterCard, and Discover are in the banking and financial category, and SUN Oil and Exxon are in the petroleum category.

The **first 6 digits** of your credit card number (including the initial MII digit)
form the issuer identifier. This means that the total number of possible issuers is
a million (10 raised to the sixth power, or 1,000,000).

Some of the better known issuer identifiers are listed in the following table:

Issuer | Identifier | Card Number Length |
---|---|---|

Diner's Club/Carte Blanche | 300xxx-305xxx, 36xxxx, 38xxxx | 14 |

American Express | 34xxxx, 37xxxx | 15 |

VISA | 4xxxxx | 13, 16 |

MasterCard | 51xxxx-55xxxx | 16 |

Discover | 6011xx | 16 |

If the MII digit is 9, then the next three digits of the issuer identifier are the 3-digit country codes defined in ISO 3166, and the remaining final two digits of the issuer identifier can be defined by the national standards body of the specified country in whatever way it wishes.

**Digits 7 to (n - 1)** of your credit card number are your individual account
identifier. The maximum length of a credit card number is 19 digits. Since the
initial 6 digits of a credit card number are the issuer identifier,
and the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits. Each issuer therefore has a trillion (10 raised to the 12th power, or 1,000,000,000,000) possible account numbers.

If we consider the large number of potential customers and usurious interest rates charged by issuers, there is obviously a lot of money to be made in the credit card industry. In more civilized ages, people believed that usury was a grievous offense contrary to nature or a mortal sin, not an acceptable business practice (Aristotle, Politics 1.10; St. Thomas Aquinas, De Malo 13.4; Dante, Inferno 11.94-111; etc.).

The **final digit** of your credit card number is a check digit, akin to a checksum.
The algorithm used to arrive at the proper check digit is called the Luhn algorithm, after
IBM scientist Hans Peter Luhn (1896-1964), who was awarded US Patent 2950048
("Computer for Verifying Numbers") for the technique in 1960.
For details about Luhn's life, see

- Biography on the American Society for Information Science and Technology's Web site, at http://www.asis.org/Features/Pioneers/luhn.htm.
- Notes compiled by Susan K. Soy on "H.P. Luhn and Automatic Indexing" at http://www.gslis.utexas.edu/~ssoy/organizing/l391d2c.htm

Thanks to Aleksandar Janicijevic for directing me to information about H.P. Luhn.

The most succinct description of the Luhn algorithm I have found comes from the hacker publication phrack 47-8: "For a card with an even number of digits, double every odd numbered digit and subtract 9 if the product is greater than 9. Add up all the even digits as well as the doubled-odd digits, and the result must be a multiple of 10 or it's not a valid card. If the card has an odd number of digits, perform the same addition doubling the even numbered digits instead."

The bit about even and odd is a little confusing. The main point is that you don't want to double the check digit, and this can easily be done by starting with the check digit, going backwards, and doubling every other digit.

These examples are drawn from junk mail I received from credit card issuers in August 2001. Some of this junk mail contained glossy pictures of credit cards, and the sample numbers come directly from two of these pictures.

The first credit card offer showed a picture of a card with the number 4408 0412 3456 7890.

The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 440804 (a VISA partner), the account number is 123456789, and the check digit is 0.

Let's apply the Luhn check to 4408 0412 3456 7890. In the following table,

- The top row is the original number.
- In the second row, we multiply alternate digits by 2. Don't multiply the check digit by 2.
- In the third row, we force all digits to be less than 10, by subtracting 9 where necessary.
- The bottom row contains the digits to be added together.

4 | 4 | 0 | 8 | 0 | 4 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 0 |

4 x 2 = 8 | 4 | 0 x 2 = 0 | 8 | 0 x 2 = 0 | 4 | 1 x 2 = 2 | 2 | 3 x 2 = 6 | 4 | 5 x 2 = 10 | 6 | 7 x 2 = 14 | 8 | 9 x 2 = 18 | 0 |

8 | 4 | 0 | 8 | 0 | 4 | 2 | 2 | 6 | 4 | 10 - 9 = 1 | 6 | 14 - 9 = 5 | 8 | 18 - 9 = 9 | 0 |

8 | 4 | 0 | 8 | 0 | 4 | 2 | 2 | 6 | 4 | 1 | 6 | 5 | 8 | 9 | 0 |

If we add all of the digits in the bottom row together, we get 67, which is not a multiple of 10, and therefore we conclude that the number 4408 0412 3456 7890 is an invalid credit card number.

By changing the check digit from 0 to 3, we arrive at the number 4408 0412 3456 7893, which does pass the Luhn check, since the sum of the digits in the bottom row would be 70, which is divisible by 10. 4408 0412 3456 7893 is, on the face of it, a valid credit card number.

The second credit card offer showed a picture of a card with the number 4417 1234 5678 9112.

The Major Industry Identifier (MII) is 4 (banking and financial), the issuer identifier is 441712 (a VISA partner), the account number is 345678911, and the check digit is 2.

Let's apply the Luhn check to 4417 1234 5678 9112, as we did in the previous example.

4 | 4 | 1 | 7 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 1 | 1 | 2 |

4 x 2 = 8 | 4 | 1 x 2 = 2 | 7 | 1 x 2 = 2 | 2 | 3 x 2 = 6 | 4 | 5 x 2 = 10 | 6 | 7 x 2 = 14 | 8 | 9 x 2 = 18 | 1 | 1 x 2 = 2 | 2 |

8 | 4 | 2 | 7 | 2 | 2 | 6 | 4 | 10 - 9 = 1 | 6 | 14 - 9 = 5 | 8 | 18 - 9 = 9 | 1 | 2 | 2 |

8 | 4 | 2 | 7 | 2 | 2 | 6 | 4 | 1 | 6 | 5 | 8 | 9 | 1 | 2 | 2 |

If we add all of the digits in the bottom row together, we get 69, which is not a multiple of 10, and therefore we conclude that the number 4417 1234 5678 9112 is an invalid credit card number.

By changing the check digit from 2 to 3, we arrive at the number 4417 1234 5678 9113, which does pass the Luhn check, since the sum of the digits in the bottom row would be 70, which is divisible by 10. 4417 1234 5678 9113 is, on the face of it, a valid credit card number.

These two credit card offers contained pictures with numbers which the Luhn check proved to be invalid. A change to their check digits made them ostensibly valid. But if I were you, I wouldn't try to charge anything with them.