Why test credit and debit card transactions?
When you build a payment transaction system, it’s...
Learn the meaning behind the different parts found on a credit card, as well as their function and relevant PCI DSS requirements, with this overview and FAQ.
Each component of a credit card serves an important function to different stakeholders in the lifecycle of a card transaction. Understanding these digits, elements, and technologies, as well as their purpose and Payment Card Industry Data Security Standard (PCI DSS) requirements, can help organizations of all sizes optimize their payment stack, strategy, and compliance posture.
The Payment Card Industry Security Standards Council (PCI SCC) created the PCI DSS to abstract the differences between card brands, such as format, placement, and terminology, to standardize a security framework. Despite this, many inconsistencies remain that can be frustrating. For example, American Express places its 4-digit security code on the front of the card, while Visa's 3-digit security code is on the back. What’s important to know the security code and its role in the payment lifecycle.
Account data refers to the information presented or embedded in a physical card. Together, this data provides the necessary information to route and verify payment information with various parties throughout the transaction lifecycle.
For the purposes of PCI DSS compliance, it’s important to know that account data breaks down into two subsets that we’ll explain in the following sections:
Cardholder data (CHD) consists of the full Primary Account Number, or the 16-digit card number (or 15-digit for American Express), Expiration Date, Cardholder Name, and Service Code. With the proper controls in place, this card information can be stored on file. When combined with the necessary authorization request, doing so allows merchants to reinitiate transactions.
You can think of a Primary Account Number (PAN) as a mailing address. Each digit in the 15-to-16-digit string helps processors, networks, and issuing banks find your account among the hundreds of millions of cardholders.
The PAN comprises three main parts—one of which has a sub-part. Hierarchy below:
The Bank Identification Number (BIN), or Issuer Identification Number (IIN), is the first six to eight digits in the PAN. It routes payment instructions to the correct network and its member bank or credit union.
The Major Industry Identifier (MII) is the first digit of the BIN and PAN. In a nutshell, it indicates to processors which card brand (e.g., Visa, Mastercard, American Express, or Discover) to send the payment for further processing.
While there are 10 MII, as you see below, there are likely only four you need to know.
The card networks use the remaining BIN digits to determine which financial institutions to route the transaction for further processing.
An Account Identifier is a unique account number used by an issuing bank to identify a cardholder’s account. Going back to our mail service analogy, you can think of your Account Identifier as your home’s unit number and street. It ultimately tells the bank which ledger account it should debit or credit.
A Validator Digit, also known as a check digit, is a popular method for validating the accuracy of a long string of preceding numbers.
In the context of payment card processing, the Validator Digit is used to ensure the accuracy of the PAN. For example, if a customer mistakenly enters a ‘2’ instead of a ‘3’ at check out, the validator digit would be incorrect, indicating that the number is invalid. This is a great way to catch small inconsistencies upfront before they reach the networks (and reduce the strain on the systems that support them).
PCI DSS defines the Service Code as a:
“Three-digit or four-digit value in the magnetic stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions.”
For example, a service code tells a merchant and processor whether to process the card as a debit or credit card.
The Sensitive Authentication Data (SAD) contains information used to verify transactions and prevent abuse. Unlike CHD, SAD cannot be stored and must be immediately deleted after authorization (unless you’re an issuer).
As it pertains to the information on your card, SAD is comprised of the security code (or Card Verification Code or Value), EMV chip, and a subset of information found in the magnetic strip. Let’s dig in briefly on each.
A Card Verification Code (CVC) or Value (CVV) is the 3-digit that is printed on the back of a payment card or a 4-digit code printed on the front (i.e., American Express). As noted, this security code cannot be stored on the magnetic stripe or EMV chip of the card, but why?
While it doesn’t seem like much, requiring the CVC or CVV for card-not-present transactions helps verify that your card is in your possession. Were your card ever compromised with your CVV, attackers would have free reign to use your card anywhere.
EMV stands for Europay, Mastercard, and Visa—the original developers of the technology. The technology has since been adopted by other payment card networks and is now a global standard for payment card security.
The EMV chip is a small, microprocessor-based integrated circuit that is embedded into a payment card. This differs from the traditional magnetic strip, which stores cardholder data and some verification logic as static data. Whereas the information embedded in the magnetic strip will never change during its lifetime, the EMV chip generates a unique code for each transaction. This makes it much more difficult for fraudsters to capture and use cardholder data in a fraudulent transaction.
The magnetic strip has been around for ages and contains both CHD and SAD (for card-present purchases). Per our previous comment, the SAD data found inside the mag stripe cannot be stored by merchants.
The Card Verification Code (CVC) or value (CVV) are different terms used by Visa and Mastercard to refer to the same 3-digit or 4-digit security code on a plastic card. Both are considered sensitive authentication data and cannot be stored by merchants. This security code adds another layer of protection for card-not-present transactions, ensuring those without your physical card can’t easily use it for other online purchases.
A service code is a set of three digits embedded into the magnetic strip that provides information about the card and how it can be used. A security code (aka CVC or CVV), on the other hand, is a unique string used to verify the authenticity of a transaction. This code is typically located on the back of a payment card and is not embossed on the card itself, making it a bit more difficult for bad guys to obtain.
While some variations in format, terminology, and layout from card brand-to-card brand exist, all credit card components use the same base components to initiate, route, and verify a transaction. In this blog, we broke down the two key components of credit cards—cardholder data (CHD) and sensitive authentication data (SAD)—as well as some of the limitations PCI DSS imposes on each.
Next, learn about tokenization broadly or credit card tokenization more specifically and the important role it plays in reducing scope, complexity, and optimizing your payment stack without exposing yourself to the costs and distractions of hosting your own cardholder data environment.
When you build a payment transaction system, it’s...
Payments become delinquent when they are not made according to a pre-agreed schedule. Almost by...