The stripe on the back of a credit card is a magnetic stripe, often called a magstripe. The magstripe is made up of tiny iron-based magnetic particles in a plastic-like film. Each particle is really a tiny bar magnet about 20-millionths of an inch long.
The magstripe can be "
written" because the tiny bar magnets can be
magnetized
in either a north or south pole direction. The magstripe on the back of
the card is very similar to a piece of cassette tape (see
How Cassette Tapes Work for details).
A magstripe reader (you may have seen one hooked to someone's
PC at a bazaar or fair) can understand the information on the
three-track stripe. If the ATM isn't accepting your card, your problem is probably either:
- A dirty or scratched magstripe
- An
erased magstripe (The most common causes for erased magstripes are
exposure to magnets, like the small ones used to hold notes and pictures
on the refrigerator, and exposure to a store's electronic article surveillance (EAS) tag demagnetizer.)
There
are three tracks on the magstripe. Each track is about one-tenth of an
inch wide. The ISO/IEC standard 7811, which is used by banks, specifies:
- Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters.
- Track two is 75 bpi, and holds 40 4-bit plus parity bit characters.
- Track three is 210 bpi, and holds 107 4-bit plus parity bit characters.
Your
credit card typically uses only tracks one and two. Track three is a
read/write track (which includes an encrypted PIN, country code,
currency units and amount authorized), but its usage is not standardized
among banks.
The information on track one is contained in two
formats: A, which is reserved for proprietary use of the card issuer,
and B, which includes the following:
- Start sentinel - one character
- Format code="B" - one character (alpha only)
- Primary account number - up to 19 characters
- Separator - one character
- Country code - three characters
- Name - two to 26 characters
- Separator - one character
- Expiration date or separator - four characters or one character
- Discretionary data - enough characters to fill out maximum record length (79 characters total)
- End sentinel - one character
- Longitudinal redundancy check (LRC) - one character LRC is a form of computed check character.
The format for track two, developed by the banking industry, is as follows:
- Start sentinel - one character
- Primary account number - up to 19 characters
- Separator - one character
- Country code - three characters
- Expiration date or separator - four characters or one character
- Discretionary data - enough characters to fill out maximum record length (40 characters total)
- LRC - one character
For more information on track format, see
ISO Magnetic Stripe Card Standards.
There are three basic methods for determining whether your credit card will pay for what you're charging:
- Merchants with few transactions each month do voice authentication using a touch-tone phone.
- Electronic data capture (EDC) magstripe-card swipe terminals are becoming more common -- so is swiping your own card at the checkout.
- Virtual terminals on the Internet
This is how it works: After you or the cashier swipes your credit card through a reader, the EDC software at the
point-of-sale (POS) terminal dials a stored telephone number (using a
modem) to call an
acquirer.
An acquirer is an organization that collects credit-authentication
requests from merchants and provides the merchants with a payment
guarantee.
When the acquirer company gets the credit-card
authentication request, it checks the transaction for validity and the
record on the magstripe for:
- Merchant ID
- Valid card number
- Expiration date
- Credit-card limit
- Card usage
Single
dial-up transactions are processed at 1,200 to 2,400 bits per second
(bps), while direct Internet attachment uses much higher speeds via
this protocol. In this system, the cardholder enters a
personal identification number (PIN) using a keypad.
The PIN is not on the card -- it is
encrypted
(hidden in code) in a database. (For example, before you get cash from
an ATM, the ATM encrypts the PIN and sends it to the database to see if
there is a match.) The PIN can be either in the bank's computers in an
encrypted form (as a
cipher) or encrypted on the card itself. The transformation used in this type of cryptography is called
one-way. This means that it's easy to compute a cipher given the bank's
key and the customer's
PIN,
but not computationally feasible to obtain the plain-text PIN from the
cipher, even if the key is known. This feature was designed to protect
the cardholder from being impersonated by someone who has access to the
bank's computer files.
Likewise, the communications between the ATM and the bank's central computer are encrypted to prevent would-be thieves from
tapping into the phone lines,
recording the signals sent to the ATM to authorize the dispensing of
cash and then feeding the same signals to the ATM to trick it into
unauthorized dispensing of cash.
If this isn't enough protection
to ease your mind, there are now cards that utilize even more security
measures than your conventional credit card: Smart Cards.