Anatomy of a credit card: The Luhn Algorithm explained

When dealing with cardholder data discovery projects, we often get a lot of questions about credit card data formats — things like the PAN number, BIN ranges and Luhn checks. We thought some clarification was needed so we will describe below what a PAN number is made of, what BIN ranges refer to, and how you can use the Luhn algorithm (also known as Mod 10, and named after IBM scientist Hans Peter Luhn) to validate a credit card using pen and paper.

Three credit card data format components to know

A credit card number, for example 1234 5678 1234 5678, consists of three parts:

1. The bank identification number (BIN): The first six digits are the bank identification number (BIN) or issuer identification number (IIN). This string of numbers identifies the issuer of the card.
2. Account identification : The numbers between the bank identification number and the check digit –which can be six to nine digits long – are used to identify the individual account associated with the payment card.
3. The check digit: The last digit is the check digit and is added to validate the authenticity of the credit card number (based on the Luhn algorithm).

Bank Identification Number (BIN) and Issuer Information Number (IIN) Ranges

The first digit of the card represents the category of industry (IIN) that issued your credit card. For example if you use VISA or MasterCard, your card’s first digit should be either 4 or 5 as they are from the banking and financial industry. American Express is in the travel category and cards issued by them have 3 as the first digit. This is why some websites can automatically identify a valid card number after just one keystroke.

Below are some BIN numbers associated with related brands. As you can see the length of a credit card will vary depending on the brand, and they are not all 16 digits.

Using the Luhn Algorithm to Verify a Payment Card

The final digits of a credit card number is a check digit, akin to a checksum.

The Luhn algorithm, also known as a Mod 10 calculation, can be used to validate primary account numbers.

How to perform a Luhn check 

You can verify a credit card using the Luhn algorithm in a few simple steps:

      1. Write down the credit card number:

4417 1234 5678 9113

      2. Starting from the first number, double every other digit.

4(x2) 4 1(x2) 7 1(x2) 2 3(x2) 4 5(x2) 6 7(x2) 8 9(x2) 1 1(x2) 3

The doubled numbers result in: 8 2 2 6 10 14 18 2

        3. If the result of the doubling ends up with a two digits, then add those two digits together:

10 = 1+0 14= 1+4 18= 1+8

        4. Add up all numbers: 8+4+2+7 + 2+2+6+4 + 1+0+6+1+4+8 + 1+8+1+2+3 = 70

If the final sum is divisible by 10, then the credit card is valid. If it is not divisible by 10, the number is invalid or fake.

In the above example, credit card number 4417 1234 5678 9113 has passed the Luhn test.

Credit card discovery made easy with Card Recon

The Luhn algorithm will detect almost any single-digit error, such as someone mistyping numbers when they put in their credit card. The Luhn algorithm does not protect against malicious attacks, nor is it intended to. It is primarily a safeguard against simple user errors. Most credit cards and many government identification numbers use this check as a simple method to distinguish valid numbers from random digits. 

That said, your business doesn’t have to work out the Luhn algorithm by hand. A cardholder data discovery tool, like Card Recon, can scan your systems to identify thousands of credit, debit and pre-paid cards, and instantly determine which are valid. This is a crucial step for complying with security standards like PCI DSS and privacy laws such as GDPR and more. 

Learn more about how Ground Labs’ Card Recon can help you identify and secure credit cards for PCI DSS compliance and more.