8

In our application we use the card type and last 4 digits provided by a merchant terminal as a unique identifier for customers. For example VISA-1234.

Since the card number is not actually random (based on the lunh algorithm) do we really get 10,000 combinations for the last 4 digits or is it a smaller subset? If so, is it possible to calculate or even estimate this number?

Elliot Chance
  • 5,526
  • 10
  • 49
  • 80
  • 4
    The last digit of a credit card number is a checksum, so there are only 1,000 combinations of the last 4 digits for a credit card issuer. If you really want 10,000 numbers, you would need to save the last 5 digits. – Gilbert Le Blanc Nov 02 '15 at 23:36
  • 1
    ...and you can't store the last 5 digits as that is not PCI-DSS compliant. PCI states you can store first six, last four (at most) in plaintext. – PaulG Nov 03 '15 at 13:17
  • 1
    @PaulG - that won't be a problem because the 4 digits are provided from the device, we never handle any more details. – Elliot Chance Nov 03 '15 at 13:36

1 Answers1

8

There are potentially 10,000 combinations of the last four digits. The fact that the last digit is a Luhn check digit does not alter this fact.

As an example, these 10 card numbers have valid luhn digits from 0 through 9. This list has been generated by modifying the 7th digit of the card number in each:

4242420242424240
4242429242424241
4242424242424242
4242428242424243
4242423242424244
4242427242424245
4242422242424246
4242426242424247
4242421242424248
4242425242424249

As an aside, PCI-DSS only allows plain text storage of (at most) the first six and last four digits.

Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
PaulG
  • 13,871
  • 9
  • 56
  • 78