Credit Card - How Unique is First6,Last4, expMonth & expYear

Question

I'm building a manager class with PHP to manage credit card payment authorizations. With credit cards, we're allowed to keep First6, last4, expiration_Month and expiration_Year.

I'm really interested in knowing how unique the combination of these 4 variables is and how likely it would be to run into another one.

Depending on how likely it is will effect when to test if we've already got a valid authorization for a new card. If we've already got an authorization for a particular card, there's no need to run the numbers again. Instead, we can find the already authorized card and do a re-authorization. However, I wouldn't want to run the wrong card because it has a similar First6, last4, expiration_Month and expiration_Year..

My goal is to limit data redundancy of credit card data, hits to the CC processor API and unnecessary authorizations on customer cards.

Answer 1

The First 6 tell you what kind of card you are dealing with. For a list of issuers see:

http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers

The last four are essentially random. The month will be essentially random, and the year will be in a small range from the current year to perhaps 6 years out. The year will exhibit some bias between possible values.

You will almost certainly have collisions if you combine those items to attempt to uniquely identify a card. That is not a reliable thing to do.

EDIT

Here are examples of recent security breeches similar to this scenario

http://blogs.cisco.com/security/6-5-million-password-hashes-suggest-a-possible-breach-at-linkedin/

http://www.infoworld.com/d/security/nvidia-investigating-breach-of-hashed-passwords-197796

https://www.infoworld.com/d/security/passwords-leaked-yahoo-boozy-preachy-angry-and-easy-197696

If a hacker can download data from the database of a large web company (typically the most-firewalled-away part of the architecture), chances are pretty good they can also access the application tier and grab the source code or compiled application that accesses the data layer.

Answer 2

To expand on the previous answer. The left 6 are the BIN and are probably the same for all of your cards, so these are no help matching cards. Given the right 4 are random, the month is random, and the year has 1 of 6 values that means you have 10000 * 12 * 6 = 720,000 unique combinations.

If you have 100,000 cards total, then your odds are 1 in 7 of having a collision. If you have over 1,500,000 cards then a collision is a near certainty on every transaction.