Japan running out of credit card numbers

Found this quite interesting that’s it’s push for a cashless society means it’s running out of numbers

This is surprising as I always heard that Japan was still rather cash based, and even with large growth their population isn’t particularly huge to have such issues.

Even with a single 6-digit BIN from MasterCard/Visa, or whatever payment network they use, it leaves 9 digits beside the check digit. That leaves around 1 billion possible numbers per BIN, and they currently only have 283 million cards issued.

Granted, the actual number of possible card numbers is likely to be much lower, but looking at other countries with a significantly higher population that seem to be managing (including the US), its strange to consider that they have issues.

It is rather cash based, but when I was there, there was no problem using card in most places. Used my Monzo card a lot of the time.

We’ll have to organise an emergency airlift of credit card numbers.

We could train Monzo employees to parachute into Nagasaki with rucksacks full of numbers so that the Japanese population can carry on buying stuff.

It would be great publicity for Monzo. What do you think?

“Credit card companies have warned that the boost in card issuances will result in a shortage of combinations from the seventh-digit onwards, the newspaper said.”

Is it just me? I have no idea what that means.

Edit. It makes perfect sense, when you read it correctly. I read “seventeenth”, not seventh. So much for my expensive new specs…

Is the shortage perhaps caused by them only having a very limited number of BINs?

Perhaps Visa and Mastercard can simply give them a few new BINs, if so.

That would easily allow for thousands more numbers.

As a bit of background, a lot of smaller Japanese businesses were reluctant to accept cards because of the cost of merchant processing services. What the most recent “cashless” campaign did was subsidies on two fronts- merchant processing fees for small businesses were subsidised, and card spending rewards were subsidised and passed on to customers, either by a discount at the till (which worked with any credit, debit, or prepaid card) or by additional rewards given on credit cards (the second of which only worked with Japanese cards for obvious reasons).

Interestingly, one of the surprises this resulted in was people finding out that not all convenience stores in Japan were franchised. Some were owned and operated by corporate headquarters, and because those weren’t “small businesses”, you couldn’t get the “cashless” discount at these “owned and operated” stores, only the franchised ones which on paper, were each their own “small business”.

Basically, that combined with the pandemic caused an explosion in the number of people signing up for and using bank cards, so I completely believe that they’re running low on card numbers because they may not have prepared for the sudden jump in demand. I’m just surprised they’re jumping to the idea of a 17th digit instead of, say, securing some more BINs. Certainly MasterCard has quite a few now that they’ve secured access to 2 as a starting digit.

Yes, adding a 17th digit makes no sense whatsoever.

Wouldn’t it cause all sorts of technical processing problems, particularly online, when systems would be expecting only 16 digits?

This is actually a really interesting problem.
So, you look at the card number and think “16 digits is shit loads, how can they be running out?”

So, the first 2 digits are assigned to the card network (3x Amex, 4x Visa, 5x Mastercard,… ) the next 4 digits they give out to issuers like us.

For example we own 535522 (our BIN or IIN) for UK Debit cards.

The last digit is a checksum. You can use it to verify if a card number is legal (read about Luhn Algorithm).

That means we now have 9 digits left (1 billion numbers per issuer). Additionally issuers will usually split these into different products. Amex uses their first 2 digits for the country they are issuing the card to and the next two digits for the type of card (Platinum/Gold, etc…)

In addition, issuers won’t use all card numbers within that range, because otherwise attackers can easily guess card numbers. So if Amex UK Gold cards have 10,000,000 numbers, they will only actually allow issuing a small percentage of it (randomly, NOT incrementally).

And then there are card replacements, expiries, MDES tokens and virtual cards, which will consume card numbers really quickly.

So in short, you can go through 16 digits pretty quickly

Adding one more digit would be a massive pain for the industry. Just imagine the number of legacy systems validating that card numbers have 16 digits.

Interesting. It looks like the ISO/IEC have extended the IIN to 8 digits and permitting PAN’s of length up to 19 digits. I imagine that’s going to be an extremely painful migration if/when it occurs.

Surely the solution to sequential numbers being a risk is doing away entirely with allowing any kind of payment where the card number and expiry is enough to create a charge?

In some places (specially the US) all you need to make an online purchase is a card number - not even CVC2.

We actually get PAN Enumeration attacks on a weekly basis, where attackers try to brute force a combination of cards to see which ones are valid. Luckily we have techniques to block and monitor these.

I’m 99% certain Amazon don’t ask for the CVC2 when adding a payment card. Is this because they’ve based it on their US implementation?

As far as I’m aware it isn’t because it’s based on any particular implementation. Amazon have simply weighed up the risks and decided that reducing friction to make a purchase makes it worthwhile to shoulder the cost of higher fraud and/or higher transaction costs (from the higher risk).

I’m sure this was covered somewhere that I’d read in the past, but I haven’t the slightest where to find it now.

Thanks. “Amazon CVV” bought up a few threads where it’s been highlighted.

I think that’s allowed in the EU as well, it’s just a lot less common. Also, fraud is on the merchant if they don’t ask for CVC2, so if it’s fraud, they pay for it

Oh! In fact, I’ve seen merchants that submit a transaction with CVC2, but if it’s declined, they try again without the CVC2

It’s a pretty risky model

That’s certainly a questionable practice and risky for the merchant. As it goes, I’ve noticed Stripe permits omitting the CVC2 parameter and even ignoring a CVC2 match failure.

Oh! And there are some merchant categories that must provide either CVC2 or require 3DS. More specifically those with high fraud risks, such as gambling - as per Mastercard rules