Confident Clean a Hacked Site Workshop Join me March 21st for this 90 Minute Workshop  Claim your spot

What does your credit card say about you?

WordPress

Hello from Tim: This is a spruced up and updated version of a post I wrote in 2010. The post covers a few extra mini topics and a some new services which have sprung up in the intervening years. So let me re-introduce you to what your credit card says about you…

Most people have shopped online with a credit or debit card and these days we barely think before using the plastic. But, the credit card details we put in don’t just make purchases. They can also tell us a lot about the user including banking habits, information such as town of origin, and even fraud risk.

Anatomy of a Credit Card Number

While this post refers to credit cards, most of what’s covered will be identical for Debit Cards and the rare charge card still out there. The information is also fairly international and standardised but there will always be a little bit of regional variance.

Credit Card Anatomy

MII – Master Industry Identifiers

The very first digit of the long string on your credit card is the master identification number, and it tells you which industry the card originated from:

0 ISO/TC 68 and other industry assignments
1 Airlines
2 Airlines and other industry assignments
3 Travel and entertainment
4 Banking and financial
5 Banking and financial
6 Merchandising and banking
7 Petroleum
8 Telecommunications and other industry assignments
9 National assignment

These are incredibly broad general areas and some cards may not appear where you expect, but are there for historical reasons. For example, American Express is in Travel and Entertainment, rather than banking.

Another slightly odd one out are Best Buy Credit Cards in the United States, which start with a 7 (I have no idea why Best Buy thinks it’s in the Petroleum industry, but I suspect as it’s an HSBC white labelled card, HSBC owned a company that used to issue under these numbers.)

Just with the first digit we can tell:

If the card is a VISA card, they all start with 4
If they are a specialist business card 0,1,7,8,9
If they are a second tier (normally debit cards) 6

With this information there is no real need to ask what type of credit card a user has, which is a pet annoyance as we already have the information encoded in the card number string. Thankfully, more and more payment gateways are simply looking at the card number rather then asking the end user. If you manage the credit card form yourselves their are several good credit card validators out there. A nice jQuery plugin is jQueryCardValidator.

BIN – Bank Identification Number

Sometimes called IIN (Issuer identification number) this is the first 4 or 6 digits of the card including the MII at the front. With this number you can identify the issuing party, normally a bank. For example, 4047 83 is NatWest Private Banking Visa Credit Card.

Thinking this is just restricted to Credit and Debit cards? Think again! 6034 50 is the number for a Starbucks Card (for Starbucks Europe) and there are several other loyalty cards that have BINs .

The complete BIN list is kept a closely guarded secret. While the reason normally cited for keeping the list a secret is security by obscurity, it’s more likely simply to protect ISO Registry and American Bankers Associations who publish the list, bottom line.

There are, however, numerous attempts to identify all cards. A short list can be found on Wikipedia and a range of larger BIN databases is also available including bindatabase.org and bindatabase.net/, which are user contributed. As you would expect, much like postcode data here in the UK, there are people selling copies of the data, but these lists may or may not be genuine so buyer beware. In more recent years as the illegal trade in credit cards from foreign countries has increased a few more dubious sites have popped up to help credit card fraudsters check the validity of their ill gotten gains. It would appear that the end users who purchase credit cards are tending to be scammed! Who would have thought it! Anyway, a word of caution – if googling around the subject of BINs you might find yourself in some less savoury sites.

Checksum

The last digit of the big long number is a checksum. This provides a quick way to validate the credit card number. While not useful in profiling the user, it’s worth noting all modern credit debit cards, including Laser Cards (contrary to Wikipedia), use Mod10 or Luhns Algorithm. For anyone processing payments this is however really important as it’s a very quick test to help spot people mistyping card numbers in. There are numerous libraries out there to help validate including this simple Gist.

Expiry Date and Sort Code/Issue Number

All Credit Cards have an expiry date and some also include a start date though this usually more likely with debit cards. The two dates can be used to help with risk scoring. Newer cards will be at a greater risk of charge backs and issues. Older cards are more likely to be hitting credit limits and be maxed out. This is of course a huge generalisation, but it’s surprising how often older cards are hit with general error 0 (or similar, a polite it’s declined message).

Some debit cards have a 6 digit Sort Code (mainly in the UK). The first 2 digits indicate the issuer, much like the BIN number. The last 4 digits are for internal use only, but basically are branch & handling office identifiers. So, for example, 52-41-19 is NatWest, Woolpack Ely Branch.

Until recently it’s been virtually impossible to get hold of an accurate list but recently the Payment Council have opened up a Sort Code checker which gives location details and also some information about what types of payments can be made into accounts managed by that branch. With this date you know the location of the card holders when they opened their bank accounts, or at least the branch that manages that account in the case of online banking. Another word of caution – people move; their sortcodes normally don’t. So while they may change their address and other billing information, the sortcode will represent their original branch.

Issue Number, again mainly on debit cards, shows how many of that type of card they have had. For example, if a user had an old solo card, then was given a switch/maestro card, the issue number on the Switch card would be 1. An issue number could potentially be a way of validating long term stable credit rating, but probably unreliable as such. With the slow demise of Solo/Maestro in the UK to Visa Debit the issue number is rarely showing up.

Potential Uses For Credit Card Data?

Identifying High Value Customers

Let’s face it: we don’t all have platinum cards in our pockets (well if your card starts 3713 then you do), but just like in a shop, the colour of your credit card often affects your experience. In the online world, it can be the same.

Ecommerce data miners are looking for high value customers, and can identify more premium credit cards such as the Platinum American Express (3713), Black Card (uk: 3742 88) or Infinite Aerogold (4500 03). There are plenty of others, but just remember all that glitters is not gold! There are plenty of gold & platinum cards out there with low limits and anyone can max out their card! It’s also worth remembering the days of charge cards with no limits has gone with many of the old style charge cards being switched over to normal credit cards.

Identifying Fraud Risk/Spending Profiling

Some banks are going to be more likely to have a higher rate of charge backs. In the UK, store cards (Cards from high street stores, offering a percentage discount), most of which are really credit cards (with credit limits etc) rather then loyalty cards, have a higher risk of charge backs against them and represent a higher risk. This can be put down to:

Targeting people with bad or low credit score
Lots of pressure from sales staff to push the cards

As always their are exceptions, Marks and Spencers credit cards users for example represent middle to high earners with good ratings.

In a similar vein, there are certain banks that have a different approach to risk assessment when offering credit and target specific demographics. While it would be unfair to assume all transactions will be fraudulent from these providers, it could be used in any risk calculations. In addition, you can use card types within profiling.

One example is something I worked on for a charity, when building their online donation system. The system allowed users may select how much they want to pay, so donations range from a few pounds to a few thousand in a single transaction. We developed a simple system that profiled incoming data to look for unusual transactions. For example, when we see a high value platinum card making a £1 donation, it is deemed far more suspicious than if they were making a £50 or £1000 donation. This is particularly important as credit card thieves looking to validate a card will often use a very small charitable donation as a test. The reason being most people looking at their statement are unlikely to notice a £1 charge if they did they would see the charity name and assume they simply donated somewhere. On the other side of the coin if a solo card made a £1000 donation, we would consider that outside of the normal profiling. The system could then flag the donation and let a volunteer contact the card holder to ask them to confirm the transaction.

Just Being Nosy

Acorn Database

When you combine this information with other buyer mining, you can come up with quite a comprehensive overview of a user. Their credit card choice and postcode is enough information along with demographic information from the Acorn Database (for those in the UK) which is a large database about demographics by post code. With access to address demographics in ACORN or similar which covers everything from community engagement, or how likely they are to be on benefits through to rough income ranges and number of children combine this with card details and you can get some frightening detailed profiles, of course this sort of profiling can go horribly wrong as well.

Of course it’s not just online that your card is spilling information about you, and with many cards now with NFC near field communications people no longer even need to see your card to find out all sorts about you.

So, next time you use a credit card, ask yourself how much does your card say about you?

Photo Credit https://www.flickr.com/photos/smemon/12696032183/

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)