Digest, Vol 57, Issue 4

Nicholas Clark nick at
Fri Jul 9 14:51:16 BST 2010

On Fri, Jul 09, 2010 at 02:02:52PM +0100, Chris Jack wrote:

> Here's a link:
> It sounds like it's in beta and only for websites at the moment. I'm also curious about how (if) they nabbed enough numbers to avoid reuse.

I don't think that they do. It's the combination of card number, expiry date
and name that has to be unique (or the space sufficiently large that there are
practically no duplicates). There may be other variables too, but

1: IIRC start date isn't passed in clearing files by some merchant acquirers,
   so you can't rely on that.
2: IIRC the spec is that CV2 is generated algorithmically from other data on
   the card and a hashing seed held securely by the card issuer, so I'm not
   sure if there is leeway for the issuer of the re-usable numbers to change
   how they do their CV2s. There *ought* to be, given that (as I understand
   the spec), it's only describing the implementation detail for the black box
   of "is this CV2 valid for this card", which the bank gets to say yay/nay.
   However, there are banks involved here, so the card schemes might insist
   that the implementation is mandatory, to stop stupid banks* doing something
   else, that is cryptographically weak.

It might also be the "postcode"** associated with the virtual card number that
is part of the data that can be varied.

Nicholas Clark

*  Is that a tautology?
** IIRC only the digits from the postcode are used. I'm guessing that the spec
   was made in the USA, where ZIPs are only digits.

More information about the mailing list