Most credit cards and debit cards contain a special last digit in their series of digits that make up the primary account number (PAN). This last digit is a check sum digit and provides a special function. The identity of the digit is determined by the preceding digits in the PAN. There are frequently 15-18 preceding digits in an average credit or debit card. The check sum digit is not a security feature but instead acts to reduce the error rate of copying down the incorrect digits making up a PAN. The check sum digit uses the preceding digits and a special algorithm, or equation, called the Luhn algorithm.
The Luhn algorithm was developed in 1954 by computer scientist Hans Luhn - hence the algorithm’s name, although it is also known as the modulus 10 or mod 10 algorithm. The checksum formula uses all of the PAN digits, except the checksum digit and generates a digit from 0-9. This digit then becomes the final number in the PAN.
The algorithm is not particularly complex but serves to reduce the accidental use of incorrect PANs. The calculation starts with the final number, before the checksum digit, which hasn’t been calculated yet. All digits in odd positions are multiplied by 2. If the product of the multiplication is equal to or greater than 10, then that product is replaced with the digit that is the sum of the 2 digits making up the number 10 or greater. For example, assume that digit #3 in the PAN is the number 7; to make the calculation, 7 is multiplied by 2 to generate 14; 14 is then transformed to 1+4 = 5; so 5 is the digit representing the digit in position #3 of the PAN.
All of the digits generated through multiplying by 2 and summing the digits of numbers 10 and above are added with all the even positioned digits in the PAN. This creates a preliminary sum. The final step can be done using 2 different methods that create the same result.
The first method takes the preliminary sum and multiplies it by 9. The last digit of this product is the checksum digit.
The second method takes the unit digit of the preliminary sum and then subtracts that number from 10. The result of that subtraction is the checksum digit. If the preliminary sum ends in zero then zero is the checksum digit.
The check sum digit will detect any single-digit error and most transpositions of adjacent digits. It will not, however, detect transposition of the two-digit sequence 09 to 90 (or vice versa), or two or more incorrect digits when the checksum coincidentally is equal to the correct PAN checksum. In practical terms the checksum will likely detect incorrect numbers or help identify illegible numbers.
|Example 1: card number||1||2||3||4||5||6||7||8||9||0||1||2||3||4||5||-|
|Double every digit in the odd positions||2||2||6||4||10||6||14||8||18||0||2||2||6||4||10||-|
|58 x 9 = 522, therefore the checksum digit will be '2'||1||2||3||4||5||6||7||8||9||0||1||2||3||4||5||2|
|Example 2: card number||9||8||7||6||5||4||3||2||1||0||9||8||7||6||5||-|
|Double every digit in the odd positions||18||8||14||6||10||4||6||2||2||0||18||8||14||6||10||-|
|73 x 9 = 657, therefore the checksum digit will be '7'||9||8||7||6||5||4||3||2||1||0||9||8||7||6||5||7|
A story was posted recently claiming the Luhn algorithm helped to win a court case against fraudsters using counterfeit credit cards. The counterfeit cards were generated without a calculated checksum digit and the presentation of this information in court was a significant factor in the prosecution of the offenders. But the checksum digit is essentially an error detector not a security feature.