The author is currently using JDK version 1.6.0_29, Eclipse version is Juno Release, Build ID 20120614-1722. Unless otherwise noted, all of the Java code in this article is based on this.

A revision history

The version number The revision date Revision note
V0.1 2018/09/02 The first draft
V1.0 2018/09/09 release

The resources

  1. Wikipedia en.wikipedia.org/wiki/Paymen…
  2. Wikipedia en.wikipedia.org/wiki/Luhn_a…
  3. ISO/IEC 7812-1-2017 Identification cards – Identification of issuers – Part 1: Numbering system
  4. Financial Industry standard JR/T 0008-2000 Bank card issuing bank identification code and card number
  5. Identification cards — Identification of card issuers — Part 1: numbering system
  6. The development of UnionPay Standard Card (source: Sina Finance, Issue time: March 14, 2007)

Historical background

In 2000, the People’s Bank of China organized and formulated a series of bank card business norms and technical standards in order to promote the universal use of the Internet. According to the Bank Card Issuing Bank Identification Code and Card Number, all KINDS of RMB cards issued and used in China must use “9” BIN. The regulation has laid a foundation for standardizing and unifying the issuance, use and interconnection of bank cards in China. With the rapid development of China’s bank card industry and the increasing international exchanges, cardholders have more and more demands for overseas payment. According to the International Organization for Standardization (ISO), bank cards with the prefix BIN 9 can only be used in China. This means that after the RMB becomes freely convertible, a large number of “9” BIN bank cards issued by domestic card issuing institutions may not be able to be used abroad. The contradiction between the limitation that the bank card with the prefix of “9” BIN can only be used in China and the payment demand of the majority of cardholders for overseas cards has gradually emerged. In order to promote the healthy and sustainable development of the national bank card industry, maintain the long-term interests of all card issuing institutions, and overcome the limitation of the overseas use of “9” BIN bank card, under the guidance and help of the People’s Bank of China, in 2002, China UnionPay has applied to ISO(International Organization for Standardization) for 800 international standards BIN(622126 to 622925) that are widely used at home and abroad. After obtaining the reply from the People’s Bank of China on the use of the BIN number of UnionPay International Standard Card Issuing bank, China UnionPay issued the Letter on the Use of the BIN Number of UnionPay International Standard Card Issuing Bank to its member institutions in July 2003. In order to standardize and reasonably allocate, use and manage the International standard BIN number of UnionPay and the original “9” prefix BIN number that has been widely used, China UnionPay issued the Interim Measures for the Allocation and Management of The BIN Number of UnionPay Logo Cards. Thus, the distribution and use of the “62” BIN number of UnionPay international standard was officially launched, and all member institutions began to issue unionPay standard cards, namely bank cards with the “62” logo and the first six digits of the card number using the “62” BIN number of UnionPay International standard. The card conforms to China’s unified business norms and technical standards, and is a high-quality, international national bank card brand with independent intellectual property rights in China.

Code rules for bank card numbers

The bank card number consists of up to 19 digits.

  1. The first six digits are known as the Issuer Identification Number (IIN), also known as the Bank Identification Number (BIN). China UnionPay will apply to ISO on behalf of all card issuing institutions in China. The first of the six iins, the Major Industry Identifier (abbreviated MII), is assigned as follows:
    • 0 – ISO/TC 68 and other industry distribution
    • 1 – Aviation
    • 2 – Aviation, finance and other future industry allocations
    • 3- Tourism and entertainment
    • 4 – Banking and finance
    • 5 – Banking and finance
    • 6 – Business and banking/finance
    • 7 – Oil and other future industry allocations
    • 8 – Healthcare, telecommunications and other future industry allocations
    • 9 – Allocated by national standards bodies
  2. The middle 7 to 18 digits are defined by the card issuing bank, indicating different personal account numbers. The maximum number of digits is 12.
  3. The last bit is the check code, which is calculated using the Luhn algorithm.

Note: IN ISO/IEC 7812-1 released in 2017, the definition description of MII was deleted and the IIN code was extended from 6 to 8 digits. However, the maximum number of digits corresponding to the personal account number in the middle was reduced from 12 to 10 digits because the total number of digits was still 19 at most. So the card BIN is no longer just 6 bits, but also needs to be considered compatible with 8 bits.

Luhn algorithm

The Luhn algorithm, also known as the “module 10” algorithm, is a simple Checksum algorithm that is commonly used to verify Identity numbers, such as credit card numbers and International Mobile Equipment Identity (IMEI). Us supplier identification number, Canadian Social Security number, Israeli ID number, Greek Social Security number, etc.

The Luhn algorithm is defined in ISO/IEC 7812-1. It is not a secure cryptographic hash function. It is designed to protect against accidental errors rather than malicious attacks.

The steps of checking using Luhn algorithm:

  1. Multiply even digits by 2, starting with the first digit on the right (check digit);
  2. Add the digits of the product obtained in step 1 to the digits of the original number that are not multiplied by 2;
  3. If the summation module 10 obtained in Step 2 is 0, the verification succeeds.

For example:

The author has an expired credit card number 6225760008219524. Check it according to the above steps.

The serial number The card number Step 1 Step 2 Step 3
16 6 6 times 2 is 12 1 + 2 = 3
15 2 2 + 2 = 5
14 2 2 times 2 is 4 + 4 = 9
13 5 5 + 5 = 14
12 7 7 times 2 is 14 + 1 + 4 = 19
11 6 6 + 6 = 25
10 0 0 times 2 is 0 + 0 = 25
9 0 0 + 0 = 25
8 0 0 times 2 is 0 + 0 = 25
7 8 8 + 8 = 33
6 2 2 times 2 is 4 + 4 = 37
5 1 1 + 1 = 38
4 9 9 times 2 is 18 + 1 + 8 = 47
3 5 5 + 5 = 52
2 2 2 x 2 = 4 + 4 = 56
1 4 4 + 4 = 60

60%10 = 0, check passed. You can try to verify your bank card number.

After understanding Lunh algorithm to verify the bank card number method, it is easy to deduce the use of Luhn algorithm to calculate the parity number of the numeric string method, still take the above bank card number as an example, after removing the parity number, the remaining622576000821952, assuming that the check digit is, the calculation is still based on the above steps.

The serial number The card number Step 1 Step 2 Step 3
16 6 6 times 2 is 12 1 + 2 = 3
15 2 2 + 2 = 5
14 2 2 times 2 is 4 + 4 = 9
13 5 5 + 5 = 14
12 7 7 times 2 is 14 + 1 + 4 = 19
11 6 6 + 6 = 25
10 0 0 times 2 is 0 + 0 = 25
9 0 0 + 0 = 25
8 0 0 times 2 is 0 + 0 = 25
7 8 8 + 8 = 33
6 2 2 times 2 is 4 + 4 = 37
5 1 1 + 1 = 38
4 9 9 times 2 is 18 + 1 + 8 = 47
3 5 5 + 5 = 52
2 2 2 x 2 = 4 + 4 = 56
1 + = 56 +

So if WE want the equation 56 plus% 10 = 0 is true and easy to get= 4, consistent with the actual bank card number.

The code implementation is as follows:

/** * Luhn algorithms are defined in ISO/IEC 7812-1, Public class LuhnUtil {/** * public class LuhnUtil {/** * public class LuhnUtil {/** ** public class LuhnUtil * <p> * 1. Multiply even digits by 2, starting with the first digit on the right (check digit); <br> * 2. Add the digits of the product obtained in step 1 to the digits of the original number that are not multiplied by 2; <br> * 3. If the sum module 10 obtained in Step 2 is 0, the verification succeeds. * </p> * * @param withCheckDigitString String containing checkdigitString * @return true - The verification succeeds <br> * false- The verification fails * @throws IllegalArgumentException Public static Boolean checkString(String withCheckDigitString) {if the String is empty or is not a String of 8 to 19 digits (withCheckDigitString == null) { throw new IllegalArgumentException(); } // 6-bit IIN+ up to 12 customized digits +1 verification digit // Note that ISO/IEC 7812-1:2017 redefines 8-bit IIN+ Up to 10 customized digits +1 verification digit // To comply with versions earlier than 2017, use 8-19 digits to verify if (! WithCheckDigitString. Matches (" ^ \ \ d {8} 3 $")) {throw new IllegalArgumentException (); } return sum(withCheckDigitString) % 10 == 0; } /** * computes the check digit * <p> * 1. Multiply the even digit by 2 from the first digit on the right; <br> * 2. Add the digits of the product obtained in step 1 to the digits of the original number that are not multiplied by 2; 3. Subtract 10 from the summation modulo 10 obtained in Step 2 to obtain the check number. * </p> * * @param withoutCheckDigitString A string that does not contain check digits * @return Check digits * @throws IllegalArgumentException Public static int computeCheckDigit(String withoutCheckDigitString) {if (withoutCheckDigitString) {public static int computeCheckDigit(String withoutCheckDigitString) == null) { throw new IllegalArgumentException(); } // 6-bit IIN+ up to 12 customized digits // Note that ISO/IEC 7812-1:2017 redefines 8-bit IIN+ up to 10 customized digits // In order to be compatible with versions before 2017, use 7-18 digits to verify if (! WithoutCheckDigitString. Matches (" ^ \ \ d {7} 16 $")) {throw new IllegalArgumentException (); } // return 10-sum (withoutCheckDigitString + "0") % 10; // Return withoutCheckDigitString + "0") % 10; } /** * Calculate the sum of the digits in the string according to Luhn algorithm * <p> * 1. Multiply even digits by 2, starting with the first digit on the right (check digit); <br> * 2. Add the digits of the product obtained in step 1 to the digits of the original number that are not multiplied by 2. <br> * </p> * * @param str * @return */ private static int sum(String str) { char[] strArray = str.toCharArray(); int n = strArray.length; int sum = 0; for (int i = n; i >= 1; i--) { int a = strArray[n - i] - '0'; If (I % 2 == 0) {a *= 2; Sum = sum + a / 10 + a % 10; sum = sum + a / 10 + a % 10; } return sum; }}Copy the code

The practical application

Bank card information inquiry

In the financial industry software system, the bank card number is important elements, however, the bank card number itself is not much, the information from the above story, the content of the card BIN is that we can get the information from the bank card number, card BIN for most people, however, is not friendly to use, because the mapping relationship is not easy to obtain.

Of course, the Internet contains everything, just card BIN is nothing to worry about, websites and forums can be downloaded everywhere, but many people ignore a problem, card BIN is the need to update, the Internet can be easily downloaded card BIN is only a snapshot of a time, effectiveness is difficult to guarantee.

The author also saw someone mention pay treasure query interface (ccdcapi.alipay.com/validateAnd…). , the author uses the expired card number before, and the interface returns cardType=”CC” for credit card, bank=”CMB” for China Merchants Bank. As the largest third-party payment platform in China, the accuracy and effectiveness of alipay’s card BIN can be guaranteed theoretically. However, the author does not know the source of its card BIN, which is estimated to be bank or UnionPay.

The data is obtained from the source, and the accuracy and effectiveness are bound to be better. Here, the author recommends the card BIN query interface provided by UnionPay, which provides several interfaces on its open platform (open.unionpay.com/). Including the card information query (open.unionpay.com/tjweb/api/d…). Interface, which can return the issuing bank, issuing bank organization code, card nature, card type, card type, card brand, card product, card grade, card medium, Chinese name of the head office and Chinese abbreviation of the head office according to the bank card number.

The content returned by the interface can be said to be quite comprehensive, but the author has not used this interface in the development project, so its performance cannot be guaranteed. However, the authority of UnionPay is beyond doubt. If you need business cooperation, you can feel free to call for negotiation, and the service of UnionPay is very professional.

Price details: The product promotion period is from October 1, 2017 to September 30, 2018, and the product can be used for free during the promotion period. After the promotion period, the charging standard will be separately publicized on the platform 30 working days in advance.

So far, the author did not see the charging standard publicity, can you understand that it is still free to use?

Verify bank card information

Unionpay open platform (open.unionpay.com/) at the same time provides us with another excellent interface, verify the card information (open.unionpay.com/tjweb/api/d…). . We can verify in the following five ways, flexibly combined and selected as needed:

  • Two elements: bank card number + name
  • Two elements: bank card number + ID number
  • Three elements: bank card number + name + ID number
  • Four elements: bank card number + name + ID number + bank reserved mobile phone number
  • Six elements: bank card number + name + ID number + bank reserved mobile phone number +CVN2+ validity period

According to my personal project experience, I recommend debit card to use four-factor verification and credit card to use six-factor verification. After all, the more verification elements, the more reliable the verification.

The program design

With the Luhn algorithm and the two interfaces provided by unionPay open platform, how should we design our programs (products)?

  1. Perform preliminary verification on input elements

     

    Verify the bank card number using the Luhn algorithm, as in the previous partCode rules and verification of id card numberThe formula introduced to verify id numbers.

  2. Check the bank’s reserved mobile phone number. Note that the bank reserved mobile phone number, sometimes you think it is reserved, but it may not be reserved. If the customer insists on filling in the information correctly, then ask the customer to call the bank to check the reserved mobile phone number is a way to solve the problem. The verification of the mobile phone number reserved by the bank here is mainly to verify whether the mobile phone is in the customer’s body, which can be verified by SMS verification code. Its necessity is as follows: First, from the point of view of security, the cost of stealing mobile phone is usually higher than that of bank card related information; Second, after all, the two interfaces provided by unionPay open platform are likely to be charged for subsequent use. The price of a short message is usually cheaper, so unqualified information is preferentially excluded, thus improving the success rate of subsequent verification.

  3. Calling card information query interface After checking through the preliminary information, we can call the unionpay first interface, the card information query, unionpay return information comprehensive, down all the author’s suggestion is that, when the card data accumulated in the system enough time, by means of data analysis, congratulations to you, You have your own card BIN data, update once a month, that’s enough. From this interface, we can see the brilliance of UnionPay, it does not directly tell you the card BIN, let you call its interface query every time, teach people how to teach people to fish. (When developing interfaces, we should pay attention to the following: from the perspective of security and irresubstitution, core data should not be leaked, try to use verification instead of query, which is also conducive to improve interface utilization rate and increase user stickiness; At the same time, record as much requester data as possible, which is convenient for future data analysis and also in line with the current trend of big data.) Call this interface, on the one hand can accumulate data, on the other hand can determine the nature of the customer’s bank card, is debit card or debit card; Debit and credit card when the verification, validation elements vary slightly, the author in the process of the development project contact card verification, in addition to the bank card number, name, id number, mobile number four elements, debit CARDS can be additional authentication codes, debit CVN2 can additional validation, the period of validity, the issuance of chip debit CARDS also have CVN2, validity, However, this has never been verified in the author’s project. I wonder whether the interface of UnionPay can be verified. Sometimes, in order to improve customer experience, debit card password, debit card CVN2, validity period are not verified. Convenience and security are trade-offs, but they can’t have it both ways through technology.

  4. Finally, we can call the second interface of UnionPay.

Secure data storage

At this point, you think it’s over? Not yet. There is an important issue, and that is data security.

  1. Bank card number, ID number, mobile phone number, recommended encryption storage;
  2. Debit card password, debit card CVN2, validity period, not recommended storage;
  3. It is recommended to store data securely on all visible media, such as application program logs and data synchronization files, rather than only databases.
  4. In the process of data transmission, it should be the same. In unionPay interface, CVN2 and validity period require RSA encryption.

Information security, multi-pronged, CSDN, Ctrip, Huazhu tragedy will not continue to be staged.

Data encryption algorithm related content, the follow-up will open up a new topic exchange.