Reputation: 1401
Credit Card - How Unique is First6,Last4, expMonth & expYear
I'm building a manager class with PHP to manage credit card payment authorizations. With credit cards, we're allowed to keep First6, last4, expiration_Month and expiration_Year.
I'm really interested in knowing how unique the combination of these 4 variables is and how likely it would be to run into another one.
Depending on how likely it is will effect when to test if we've already got a valid authorization for a new card. If we've already got an authorization for a particular card, there's no need to run the numbers again. Instead, we can find the already authorized card and do a re-authorization. However, I wouldn't want to run the wrong card because it has a similar First6, last4, expiration_Month and expiration_Year..
My goal is to limit data redundancy of credit card data, hits to the CC processor API and unnecessary authorizations on customer cards.
Upvotes: 1
Views: 3159
Answers (2)
Reputation: 150108
The First 6 tell you what kind of card you are dealing with. For a list of issuers see:
http://en.wikipedia.org/wiki/List_of_Issuer_Identification_Numbers
The last four are essentially random. The month will be essentially random, and the year will be in a small range from the current year to perhaps 6 years out. The year will exhibit some bias between possible values.
You will almost certainly have collisions if you combine those items to attempt to uniquely identify a card. That is not a reliable thing to do.
EDIT
Here are examples of recent security breeches similar to this scenario
http://blogs.cisco.com/security/6-5-million-password-hashes-suggest-a-possible-breach-at-linkedin/
http://www.infoworld.com/d/security/nvidia-investigating-breach-of-hashed-passwords-197796
https://www.infoworld.com/d/security/passwords-leaked-yahoo-boozy-preachy-angry-and-easy-197696
If a hacker can download data from the database of a large web company (typically the most-firewalled-away part of the architecture), chances are pretty good they can also access the application tier and grab the source code or compiled application that accesses the data layer.
Upvotes: 5
Reputation: 2862
To expand on the previous answer. The left 6 are the BIN and are probably the same for all of your cards, so these are no help matching cards. Given the right 4 are random, the month is random, and the year has 1 of 6 values that means you have 10000 * 12 * 6 = 720,000 unique combinations.
If you have 100,000 cards total, then your odds are 1 in 7 of having a collision. If you have over 1,500,000 cards then a collision is a near certainty on every transaction.
Upvotes: 3
Related Questions
- What is the best way to validate a credit card in PHP?
- How unique are the last 4 digits of a credit card?
- Sample Credit Card processing
- Storing partial credit card numbers
- What set of chars is php's uniqid composed of?
- PCI compliant hash of a credit card number
- Storing a SHA256 of first and last name along with 4 last digits of credit card number
- Unique identification string in php
- How often do the first four numbers of a credit card change?
- Is there a secure way to guarantee credit card uniqueness?