Cardholder Data Discovery: Anatomy of a Credit Card, BIN ranges & Luhn checks

We often get the same questions regarding length of a PAN number, BIN ranges and Luhn checks when dealing with cardholder data discovery projects. We thought some clarification was needed so we will describe below what a PAN number is made of, what BIN ranges refer to and how you can work out a Luhn check (also know as MOD10) and validate a credit card using pen and paper.

Anatomy of a Credit Card

A credit card number, for example: 1234567812345678, consists of 3 parts:
Anatomy of a creditcard
The bank identification number
The first six digits is the bank identification number (BIN) or issuer identification number (IIN) to identify the issuer of the card.
The acccount number
The number between the bank identification number and the check digit is 6 to 9 digits long and is used to identify the individual account number.
The check digit
The last digit is the check digit and is added to validate the authenticity of the credit card number (based on the Luhn algorithm).

Bank Identification Number (BIN) & Issuer Information Number (IIN) ranges

The first digit of the card represents the category of industry (IIN) that issued your credit card. For example if you use VISA or MasterCard, your card’s first digit should be either 4 or 5 as they are from the banking and financial industry. American Express is in the travel category and cards issued by them have 3 as the first digit. Below is the list of issuer category.

IIN numbers

Below are some BIN numbers associated to related brands. As you can see the length of a credit card will vary according to the brand. They are not all 16 digits.

Credit card brand

Bank identification number prefix

Credit card number length

American Express

34|37

15

Diners Club Carte Blanche

300-305

14

Diners Club International

36

14

Diners Club US and Canada

54|55

16

Discover Card

6011|622126-622925|644-649|65

16

InstaPayment

637-639

16

JCB

3528-3589

16

Laser

6304|6706|6771|6709

16-19

Maestro

5018|5020|5038|6304|6759|6761|6762|6763

Dec-19

Mastercard

51-55

16

Visa

4

13|16

Visa Electron

4026|417500|4508|4844|4913|4917

16

Luhn check or MOD 10 checksum

The final digit of your credit card number is a check digit, akin to a checksum. The algorithm used to arrive at the proper check digit is called the Luhn algorithm, after IBM scientist Hans Peter Luhn (1896-1964).
The LUHN Formula, known also as a Mod 10 calculation, can be used to validate primary account numbers.

How does it work using pen and paper?

➢ Write down the credit card number:

4417 1234 5678 9113

➢ Starting from the check digit and moving to the left, double every second digit

4(x2) 4 1(x2) 7 1(x2) 2 3(x2) 4 5(x2) 6 7(x2) 8 9(x2) 1 1(x2) 3

The doubled numbers result in: 8 2 2 6 10 14 18 2

➢ If the result of the doubling ends up with a 2 digit number then add those 2 digits together:

10 = 1+0 14= 1+4 18= 1+8

➢ Add up all numbers:

8+4+2+7 + 2+2+6+4 + 1+0+6+1+4+8 + 1+8+1+2+3 = 70

If the final sum is divisible by 10, then the credit card is valid. If it is not divisible by 10, the number is invalid or fake. In the above example, credit card number 4417 1234 5678 9113 has passed the Luhn test.

The LUHN formula was designed to protect against accidental errors, not malicious attacks. Most credit cards and many government identification numbers use the algorithm as a simple method of distinguishing valid numbers from random digits. The LUHN algorithm will detect almost any single-digit error.

There you have it, the anatomy of a credit card number.