london.pm Digest, Vol 57, Issue 4
Nicholas Clark
nick at ccl4.org
Fri Jul 9 14:51:16 BST 2010
On Fri, Jul 09, 2010 at 02:02:52PM +0100, Chris Jack wrote:
> Here's a link:
> https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/account/VDCFrequentlyAskedQuestions-outside
>
> It sounds like it's in beta and only for websites at the moment. I'm also curious about how (if) they nabbed enough numbers to avoid reuse.
I don't think that they do. It's the combination of card number, expiry date
and name that has to be unique (or the space sufficiently large that there are
practically no duplicates). There may be other variables too, but
1: IIRC start date isn't passed in clearing files by some merchant acquirers,
so you can't rely on that.
2: IIRC the spec is that CV2 is generated algorithmically from other data on
the card and a hashing seed held securely by the card issuer, so I'm not
sure if there is leeway for the issuer of the re-usable numbers to change
how they do their CV2s. There *ought* to be, given that (as I understand
the spec), it's only describing the implementation detail for the black box
of "is this CV2 valid for this card", which the bank gets to say yay/nay.
However, there are banks involved here, so the card schemes might insist
that the implementation is mandatory, to stop stupid banks* doing something
else, that is cryptographically weak.
It might also be the "postcode"** associated with the virtual card number that
is part of the data that can be varied.
Nicholas Clark
* Is that a tautology?
** IIRC only the digits from the postcode are used. I'm guessing that the spec
was made in the USA, where ZIPs are only digits.
More information about the london.pm
mailing list