Tim Nash "stuff" Blog

What your credit card says about you

3

Most people have shopped online with a credit or debit card and these days we barely think before using the plastic. But, the credit card details we put in don’t just make purchases. They can also tell us a lot about the banking habits of the user, information such as town of origin and even fraud risk.

Anatomy Of a Credit Card Number

(Note: this goes for most modern debit cards as well)

Credit Card Anatomy

MII – Master Industry Identifiers

The very first digit of the long string on your credit card is the master identification number, it tells you which industry the card originated from

  • 0 ISO/TC 68 and other industry assignments
  • 1 Airlines
  • 2 Airlines and other industry assignments
  • 3 Travel and entertainment
  • 4 Banking and financial
  • 5 Banking and financial
  • 6 Merchandising and banking
  • 7 Petroleum
  • 8 Telecommunications and other industry assignments
  • 9 National assignment

Some cards may not appear where you expect, but are there for historical reasons. For example, American Express is in Travel and Entertainment, rather than banking.

Another slightly odd one out are Best Buy Credit Cards in the United States, which start with a 7 (I have no idea why Best Buy thinks it’s in the Petroleum industry, but I suspect as it’s an HSBC white labeled card, HSBC owned a company that use to issue under these numbers.)
Just with the first digit we can tell:

  • If the card is a VISA card (they all start with 4)
  • If they are a specialist business card 0,1,7,8,9
  • If they are a second tier (normally debit cards) 6

BIN – Bank Identification Number

Sometimes called IIN (Issuer identification number) this is the first 4 or 6 digits of the card including the MII at the front. With this number you can identify the Issuing party, normally a bank. For example, 4047 83 is NatWest Private Banking Visa Credit Card.

Thinking it is just restricted to Credit and Debit cards? Think again! 6034 50 is Starbucks Card (for Starbucks Europe).

The complete BIN list is kept a closely guarded secret. While the reason normally cited for keeping the list a secret is security by obscurity, it’s more likely simply to protect ISO Registry and American Bankers Associations who publish the list. Bottom line.

There are however numerous attempts to identify all cards a short list can be found on Wikipedia and a larger BINDatabase is also available, which is user contributed. As you would expect, much like postcode data here in the UK, there are people selling copies of the data, but these lists may or may not be genuine so buyer beware.

Checksum

The last digit of the big long number is a checksum. This provides a quick way to validate the credit card number. While not useful in profiling the user, it’s worth noting all modern credit debit cards (including Laser Cards (contrary to Wikipedia) use Mod10 or Luhns Algorithm.

Expiry Date and Sort Code/Issue Number

All Credit Cards have an expiry date and some also include a start date. Using the two numbers and the current date can be used to help determine a risk assessment on the cards. Newer cards will be of a greater risk of charge backs and issues. Older cards are more likely to be hitting credit limits and be maxed out.
Some debit cards have a 6 digit Sort Code (mainly in the UK). The first 2 digits indicate the issuer, much like the BIN number. The last 4 digits are for internal use only, but basically are branch & handling office identifiers. So, for example, 52-41-19 is NatWest, Woolpack Ely Branch.

Getting hold of a list is not easy, as there is no centralised database, but with this date, you know the location of the card holders when they opened their bank accounts. People move; their sortcodes normally don’t.

Issue Number, again, mainly on debit cards, shows how many of that type of card they have had. For example, if a user had a solo card, then was given a switch/maestro card, the issue number on the Switch card would be 1. An issue number could potentially be a way of validating long term stable credit rating, but probably unreliable as such.

Potential Uses For Credit Card Data?

Identifying High Value Customers

Let’s face it: we don’t all have platinum cards in our pockets (well if your card starts 3713 then you do), but just like in a shop, the colour of your credit card often affects your experience. In the online world, it can be the same.

Ecommerce data miners looking for high value customers and can identify more premium credit cards such as the Platinum American Express (3713), Black Card (uk: 3742 88) or Infinite Aerogold (4500 03). There are plenty of others, just remember all that glitters is not gold! There are plenty of gold & platinum cards out there with low limits and anyone can max out their card!

Identifying Fraud Risk/Spending Profiling

Some banks are going to be more likely to have a higher rate of charge backs. In the UK, store cards, most of which are credit cards rather then loyalty cards, have a higher risk of chargeback against them. This can be put down to:

  • Targeting people with bad or low credit score
  • Lots of pressure from sales staff to push the cards

Likewise, there are certain banks that are likely to have a different approach to risk assessment when offering credit. While it would be unfair to assume all transactions will be fraudulent from these providers, it could be used in any risk calculations. In addition, you can use card types within profiling.

One example is something I’m working on now, which is a donation system where users may select how much they want to pay. When we see a high value platinum card making a $1 donation, it is deemed far more suspicious than if they were making a $50 or $1000 donation. Likewise, if a solo card made a $1000 donation, we would consider that outside of the normal profiling.

Just Being Nosy

When you combine this information with other buyer mining, you can come up with quite a comprehensive overview of a user. Their credit card choice and postcode is enough information along with demographic information from the Acorn Database (for those in the UK)  to make a rough judgment of an individual.

So, next time you use a credit card, ask yourself how much does your card say about you?

Consulting

Interested or Worried about data mining? Taking your first steps? Or, are you already harnessing buyer mining in your business? If you’re interested in how your business could be harnessing this sort of credit card data mining, then why not get in touch with me, or look at my consulting services.

Consulting

While I no longer offer personal consultancy if you are interested in going further then please let us know at Coding Futures

Quicklinking

If you want to link to this post quickly please use http://tnash.eu/t652

rss feed

3 comments

  • andymurd

    Hi Tim,

    Nice post – I do a lot of work in the payment processing industry and have to deal with these kind of issues quite often.

    In my experience BINs are not accurate enough (in Europe at least) to reliably determine which bank issued the card BUT they are often used to choose to route transactions through different acquirer networks (e.g. if NatWest charge 2p per Visa txn, 8p for Mastercard whilst HSBC charge 6p for both, send Visa cards to Natwest and all others through HSBC).

    Card fraud is a fun place to explore too. Most wannabe fraudsters follow the pattern of making a few small online payments to test out your system, then hit you with a big transaction. They’ll use a few different proxies too, so you can often do some IP geolocation and check whether it was physically possible to transport the card between those locations in the timeframe between payments.

    One of the most useful indicators when profiling customers is the return code from the bank indicating whether your transaction succeeded or failed. Just one (00) for a successful authorisation, but another hundred or so for declined transactions. Record and mine that info to figure out who’s running out of money at the end of each month or exceeding frequency limits (an early fraud indicator).

    If you’re taking payments online, a word of warning to follow the PCI DSS standards – basically have a very secure network and don’t record any card data – as fines are high and auditing is getting tougher.

  • James

    good post Tim, scary the level of data that can be obtained! It makes you think about the limitations of the data protection act.

  • John Keating

    Fantastic post and a real insight. Whats just as interesting as the detail here is probably the level of ignorance their is to this type of activity – data mining and acquisition in the consumer marketplace. Data companies are partnering with online and high street stores to use transactional data for third party marketing with consent of course. This is a great way to target consumers using their credit cards to analyse their spending behaviour. Did they respond to an offer? was it seasonal? types of products purchased? and so on. As you say Tim, combine this data with credit card detail, geo demogprahic information and any lifestyle information held and it can be a powerful mechanism for marketers.

    How many consumers are actually aware this happens though is another topic all together.

Add a comment



*Required

You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.