23

I was putting in my cc number and and as soon as I had finished inputting 16 digits it highlighted it in red. I looked it over and realized one digit was wrong. Corrected it, it became black. How did the website know it was wrong?

larry909
  • 635
  • 1
  • 6
  • 8
  • 12
    That is called a checksum - credit cards use them. This is not a security question, tho. – Tobi Nary Jul 05 '19 at 10:27
  • 16
    @Tobi Nary How information is validated is a legitimate security question. – Patriot Jul 05 '19 at 22:22
  • 4
    @TobiNary that's an answer, already. – Criggie Jul 05 '19 at 22:43
  • So this checksum strongly limits the amount of credit card numbers available for use. How long before we run out of numbers? – larry909 Jul 05 '19 at 23:33
  • 6
    https://en.wikipedia.org/wiki/Payment_card_number - 12 digits per issuer => 10^12 cards. I think we'll run out of people first, not to mention plastic. – Rich Jul 06 '19 at 05:49
  • ["the first 6 numbers are called the BIN number."](https://money.stackexchange.com/questions/29779/what-do-the-numbers-on-my-credit-debit-card-mean#comment44898_29780) – Mazura Jul 07 '19 at 00:40
  • 1
    This is a duplicate, **but I don't believe it's off-topic** unless we also close the suggested duplicate. – forest Jul 08 '19 at 00:47
  • Tempted to close the suggested duplicate as well. This is not exactly an infosec question. – Rory Alsop Jul 09 '19 at 11:42

2 Answers2

50

Credit card numbers can verified by calculating a checksum.

Every credit card number created is assigned a number following an algorithm.

Ross Millikan: The checksum specifies the last digit, so there are 15 digits left. That should mean there are 10^15 numbers available, but there are other restrictions. The first digit is the card type (4=Visa, 5=MasterCard, etc.) and the next several have to do with the issuer.

Following that, if this a credit card number does not comply with the algorithm, the checksum is incorrect so the number must be invalid.

The algorithm is called the “Luhn algorithm”, check this Wikipage for more Info.

TripeHound: Note: if a given number fails the check, it is definitely not a real CC number. However, if it passes the check, it only proves that it is a potential CC number: it does not prove that it has actually been issued. The next stage of verification (talking to a card-processor) should verify that. Similar checks can be made on UK sort-code/account-number pairs (and probably something similar in other countries) and on International Bank Account Numbers (IBANs)

Edit: Added some of the information given in the Comments to the Answer. Pleas go and give them an Upvote too, its great information.

Jens Krüger
  • 636
  • 6
  • 14
  • 40
    Note: if a given number _fails_ the check, it is _definitely_ not a real CC number. However, if it _passes_ the check, it only proves that it is a _potential_ CC number: it does not prove that it has actually been issued. The next stage of verification (talking to a card-processor) should verify that. Similar checks can be made on [UK sort-code/account-number pairs](https://www.sortcodes.co.uk/modulus-checking.html) (and probably something similar in other countries) and on [International Bank Account Numbers (IBANs)](https://en.wikipedia.org/wiki/International_Bank_Account_Number) – TripeHound Jul 05 '19 at 12:40
  • 1
    Also [Vehicle Identification Numbers (VINs)](https://en.wikibooks.org/wiki/Vehicle_Identification_Numbers_(VIN_codes)/Check_digit). – Bobson Jul 05 '19 at 13:31
  • 1
    I agree that this answer is the most likely scenario. An alternative is the website *could* be validating your card via a service on keyup, keydown, onBlur, etc. – Fortytwo Jul 05 '19 at 20:31
  • 1
    @FortyTwo They *could* be validating your card on an event, but verification of something like a card is usually purposefully made inherently slow for security. – David Archibald Jul 05 '19 at 21:54
  • 2
    And EAN barcode numbers. And personal ID numbers in most countries. And railway car markings. And... it goes on and on. Practically everything that has a long numeric identifier these days and back a few decades. – Gábor Jul 05 '19 at 23:28
  • 3
    @larry909: The checksum specifies the last digit, so there are 15 digits left. That should mean there are 10^15 numbers available, but there are other restrictions. The first digit is the card type (4=Visa, 5=MasterCard, etc.) and the next several have to do with the issuer. – Ross Millikan Jul 06 '19 at 00:34
  • 2
    There are 2 trillion numbers available for American Express cards. The size of the numbers was obviously chosen so that they wouldn't run out soon. If they did somehow run out, they can just add an extra digit. – Robyn Jul 06 '19 at 01:37
  • 1
    The companies almost surely go back into circulation with new expiration dates and CVC codes after being dormant for a sufficiently long amount of time as well. There might not be a need to increase above 15 digits this century. – whatsisname Jul 06 '19 at 03:27
  • 12
    The algorithm is called “Luhn algorithm”, perhaps you could mention its name in the answer? – Alexander Revo Jul 06 '19 at 15:54
  • 1
    @RossMillikan If only it were as simple as one digit to identify the card type, and we could all hard-code a list of 10 card types that was valid forever. Alas, it's a lot more complicated than that, and full databases are remarkably hard to get hold of. A brief set of prefixes is here, but there are plenty of caveats and overlapping ranges: https://en.wikipedia.org/wiki/Payment_card_number#Issuer_identification_number_(IIN) – IMSoP Jul 06 '19 at 22:34
0

Most credit card providers use a form of checksum for their credit card numbers, generally the Luhn Algorithm. Verifying the Luhn Algorithm is as simple as executing it on a number and obtaining 0 as a result. If a different result is obtained, then the checksum fails.

You can see on the Payment card number page in Wikipedia that credit card number issuers can be recognized by their prefix and number of digits, and that to this day a single issuer (Diners Club enRoute) does not use the Luhn Check.

It is customary to use the Luhn Check as early as possible when validating inputs, so as to provide quicker feedback to the user, and reduce processing costs.


The algorithm is used by many other types of numbers, as you can see in the Wikipedia article. It is a rather simple way to protect against many kinds of typos or transmission errors. It is not fool-proof, though, and most notably certain easy mistakes, such as inverting the order of two consecutive digits, are not detected.

Matthieu M.
  • 539
  • 5
  • 6