We’ve all seen, “sorry, invalid credit card number”on the screen when ordering educational materials online, but how did they know?

They didn’t check your credit card number against every single credit card number on the planet. That takes too long and they’ve got important money to make.

Rather, credit card processors use a simple formula, called the Luhn algorithm.

Starting with the farthest right digit, they sum the double of every second digit. If the result is a double digit, both digits are added together. The results are summed. If the final result ends in zero, it’s a valid credit card number. If the final result doesn’t end in zero, it’s not valid.

So, the next time a website denies your education material purchase order, shout, “Damn you, Luhn!” — BEN POPKEN

Credit Card Validation – Check Digits [Beachnet]

Luhn Algorithm [Wikipedia]

Previously: What A Credit Card’s First Digit Means

I wrote a quick checksum calculator about 8 years ago when I processed transactions by hand in my home office. I fired it up and tested some numbers. It appears that any given number has a 1 in 8 shot of being correct. So the algorithm only has very limited protection against accidental transposed digits. “Credit card number generators” do exist and one can easily Google them, which simply give sets of numbers that pass the Luhn algorithm, but the chance of a number being VALID is perhaps 1 in 100 or 1 in 1000 or higher, and you have to have a valid expiration date to even be able to ring a transaction through.

Just FYI (for y’alls info).

Recently I’ve started suspecting the algorithm used to generate the numbers. It wasn’t until I moved to Canada that I noticed four of my credit/debit cards across two countries (US and Canada) have the same of similar groupings of numbers (eg 4045 appears somewhere on all of them). Furthermore, I noticed the same grouping of numbers turn up when I created a new bank account in Canada. Very odd and I suspect the algorithm is weakening becuase of use…ie no longer generating unique numbers. Time to put that Appled Math degree to use. Of course, it could be my universal number assinged to me from birth by the Illuminati…

I have a weird thing about believing these sort of mathy posts (here or anywhere) until I’ve tried them. I was all set to post a triumphant “Ha, my credit card doesn’t use that pattern!” until I checked the wikipedia and learned how to do the formula properly (I was starting all the way to the right rather than skipping one in to do the doubling)…and now it works. Alas. I’m not cool enough to have some sort of freak divergent number.

5cents, this card has the same first 8 (!) digits as my last card. Both are BofA debit/visa cards and this was a replacement when they put my photo on there (and it’s almost as bad as my DL photo, so you can imagine my complete joy every time I see it). It drove me nuts when I was trying to memorize the new number because the changes weren’t major enough.

don’t suppose your back account number is in there is it? on every card i have ever got from my bank…

the first 7 are the same every time… then the next 6 are my account number… then the last 3 are the only thing that ever changes… always incrementing in a seemingly random amount (presumably to make this algorithm work).

i imagine the first 7 numbers that don’t change are related in some way to the institution. though i never checked any other card from someone else from the same place… so who knows. maybe generated from my name or SSN or something?

of course the expiration date changes every time as well as the 3-4 digit extra verification number deal.

I heard the CVC (that’s the 3-4 digit number on the back) is still derivable from the numbers on the front using yet more math, i.e. it’s NOT randomly generated at all. So no protection there. Further more, if you know when the start date of the account or card is, you can easily guess the end date (most bank cards expire after 2-4 years).

the first set of digits on your credit card is known as a BIN – or bank identification number. it’s kind of like a bank routing number. every card from a particular institution will have the same first 4 digits.

the CVC (aka CVV or CVV2) is generated from the card number & exp. date & uses a unique logarithm – the logarithm is different from institution to institution (& card type to card type). while there may be some overlap here, presumably a fraudster creating cards would need to calculate each possible logarithm & create a few hundred cards to get just one to work. also, note that the CVV is not encoded in the mag stripe & verification is done on the processor level during the authorization process.