Credit Card - How Unique is First6,Last4, expMonth & expYear

StackOverflow https://stackoverflow.com/questions/13809195

  •  06-12-2021
  •  | 
  •  

Question

I'm building a manager class with PHP to manage credit card payment authorizations. With credit cards, we're allowed to keep First6, last4, expiration_Month and expiration_Year.

I'm really interested in knowing how unique the combination of these 4 variables is and how likely it would be to run into another one.

Depending on how likely it is will effect when to test if we've already got a valid authorization for a new card. If we've already got an authorization for a particular card, there's no need to run the numbers again. Instead, we can find the already authorized card and do a re-authorization. However, I wouldn't want to run the wrong card because it has a similar First6, last4, expiration_Month and expiration_Year..

My goal is to limit data redundancy of credit card data, hits to the CC processor API and unnecessary authorizations on customer cards.

Was it helpful?

Solution

The First 6 tell you what kind of card you are dealing with. For a list of issuers see:

http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

The last four are essentially random. The month will be essentially random, and the year will be in a small range from the current year to perhaps 6 years out. The year will exhibit some bias between possible values.

You will almost certainly have collisions if you combine those items to attempt to uniquely identify a card. That is not a reliable thing to do.

EDIT

Here are examples of recent security breeches similar to this scenario

http://blogs.cisco.com/security/6-5-million-password-hashes-suggest-a-possible-breach-at-linkedin/

http://www.infoworld.com/d/security/nvidia-investigating-breach-of-hashed-passwords-197796

https://www.infoworld.com/d/security/passwords-leaked-yahoo-boozy-preachy-angry-and-easy-197696

If a hacker can download data from the database of a large web company (typically the most-firewalled-away part of the architecture), chances are pretty good they can also access the application tier and grab the source code or compiled application that accesses the data layer.

OTHER TIPS

To expand on the previous answer. The left 6 are the BIN and are probably the same for all of your cards, so these are no help matching cards. Given the right 4 are random, the month is random, and the year has 1 of 6 values that means you have 10000 * 12 * 6 = 720,000 unique combinations.

If you have 100,000 cards total, then your odds are 1 in 7 of having a collision. If you have over 1,500,000 cards then a collision is a near certainty on every transaction.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top