.png?width=365&height=122&name=BTLogo%20(1).png)
How useful are credit card numbers anymore?
Credit cards and their debit card cousins are an unmistakable and unavoidable part of modern life. In 2024, American consumers used the former for 35% and the latter for 30% of all purchases. That said, the growth of digital payments is growing, preferred by many not only for convenience, but also for the peace of mind added by the layers of security bundled into digital wallets.
So, what really is the point of those 15 or 16 numbers on the card?
Credit card numbers are surprisingly sophisticated for what just looks like a string of digits. Let’s look at how it’s constructed:
- The first digit identifies the industry and/or card network, and is known as the Major Industry Identifier (MII). AmEx cards all start with a 3, Visa with a 4, Mastercard with a 5, and Discover with a 6.
- The next 5 numbers identify the financial institution that is the issuer of the card, generally a bank like Wells Fargo or Chase. This is known as the Issuer Identification Number (IIN) or Bank Identification Number (BIN)
- The next 9 to 12 numbers identify the specific account represented by the card. These are the digits that make your card your card.
- The final digit, often known as the checksum, is used to validate the whole credit card number: this is how the payment ecosystem ensures that a proffered credit card number could even be valid, so that made-up numbers aren’t presented to card networks, where they would inevitably fail.
Of the 16 digits, only 9 may be unique to your card. If a hacker knows that you have a Visa card issued by Chase, they may already have the first four to six digits determined.
How hard are credit card numbers to guess?
The good news is that the likelihood of someone guessing the credit card number for a given individual’s account is near zero: with 16 digits, there are 10 quadrillion possible combinations. That said, consumers are often shocked to find that someone has fraudulently used “their” credit or debit card, even if they themselves have let it out of their sight!
This is because it is entirely possible to either
- Purchase credit card numbers from criminals who have stolen them during security breaches at merchant sites, banks, or other organizations that have the information stored insecurely.
- Calculate potentially possible card numbers and use brute force attacks to validate which ones correspond to currently valid accounts. Given that there are roughly 4.5 billion credit card accounts in the world, and there are 10 quadrillion possible combinations of 16 digits, hackers’ chances of hitting the jackpot are roughly one in two million. However, there are shortcuts they can take to improve their odds.
The addition of chips to physical credit cards and the increasing availability of portable terminals have markedly reduced the incidence of card-present fraud, by some counts by as much as 80 percent. Not only are merchants not being scammed by customers using stolen cards (as the user must often now add a PIN), consumers have reduced their risk by not having to hand a card over to a restaurant server who takes it out of their sight.
Credit Card Fraud Enters the Digital Realm
While it is becoming increasingly complex to use stolen physical credit cards, fraud has grown significantly in both the physical and digital spaces. Social engineering has become a significant factor in credit card fraud, with unscrupulous actors tricking consumers into sharing their credit card numbers, and even literally stealing cards from mailboxes.
Card networks are also increasingly concerned about what is known as the "Fake Store Epidemic," where fraudsters can quickly and easily set up convincing-looking online stores, offering desirable merchandise at low prices, and then persuade unsuspecting consumers to enter their card numbers.
Meanwhile, any number of new exploits are being rolled out, including:
- Bots testing credit card numbers at scale and high speed to find ‘good’ ones.
- Session hijacking, in which hackers intercept signals moving between the consumer and the merchant to steal authorization codes.
- Sophisticated card skimming, where ATM or POS systems are physically hacked to store and transmit valid credit card numbers to fraudsters.
The good news is that new technologies, particularly in the area of digital payments, are making many of these exploits, and possibly even the static, printed-on-a-card, credit card number, a thing of the past.
Digital wallets, tokenization, and one-time use codes.
Generally speaking, when consumers register a credit card with a digital wallet like Apple Pay, the system stores the card number on its well-protected servers and supplies only a token to the user’s device. This protects them from having their card information stolen along with their device.
Subsequently, when the consumer uses the wallet, they make the request to the provider using the token, which the provider validates first locally (this is why you have to use your password or Face ID on your smartphone); then runs checks on their own end to ensure the card has not been reported stolen or otherwise invalidated; and only then attempts the payment process.
Apple has also introduced the concept of the Apple Pay merchant token, also known as the MPAN, which ties together the customer, the payment card, and the merchant. An MPAN is granted to a merchant to use for submitting transactions, and is particularly secure, as it not only uses a token representing the credit card number, but is usable by only one merchant (i.e. if stolen, it could not be used by anyone else), and is clearly setup to allow a particular kind of charge (i.e. a one-time use MPAN cannot be used to charge the customer on a schedule).
There is a strong argument that the MPAN is the next natural evolution of the credit card number: it is secure, worthless if hacked, and effective.
Credit card numbers are necessary, but their use is changing.
Credit card numbers are a necessary evil: somehow, the payments ecosystem needs a way to distinguish between customers and accounts.
In the past, the credit card number has been a security headache, whether from customers handing physical cards to strangers to pay bills, or typing them into unscrupulous actors’ websites. However, as evidenced by the example of the MPAN, the risks are decreasing, as more and more payments go online, and fewer and fewer occasions arise when the numbers are shared with others. As customers continue to move towards using digital wallets for debit and credit card payments, merchants will increasingly deal with the MPAN and its related entities.
For merchants seeking to continue delivering top-grade services to their customers, upgrading payment systems to manage virtual credit card numbers is essential. Many start with a programmable payments vault, which can securely capture and store personally identifiable information, and open up a world of possibilities by offering merchants complete control over the PSP partners they choose to complete transactions.
