Magnetic stripe cards
While working on an old magnetic stripe card reader, I was searching for documents describing the various formats on the tracks. The standard documents covering magnetic cards can be purchased on the ISO website, but a fragtion some of the contents of these standards can be found on the internet. The information is scattered over various pages, so I decided to wrap the essenece here on one page to have all relevant data altogether. I am not taking any responsibility for the correctness of these findings. If you feel there's an error or something relevant is missing, drop me a line on the mail address below.
Physical characteristics
The size of a magnetic card follows ISO/IEC 7810, format size ID-1.
The magnetic area is at the top on one side of the card. The location of the magnetic strip is 5.7 mm (0.223 inches) below the top edge. The strip contains 3 tracks with a width of 2.8 mm (0.110 inches) each and a spacing of 0.5 mm (0.02 inches).
Magnetics
The terms Hi-Co and Lo-Co refer to the strength of resitance against magnetic fields. Hi-Co magnetic cards will need a much stronger magnetic field to be rewritten than Lo-Co cards. Almost all Bank- and Credit cards are Hi-Co cards.
Binary representation
The bits on the magnetic stripes are recorded using the Differential Manchester encoding. This encoding is also known as F2F.
Encoding
Although data can be encoded in to symbols arbitrarily, the following encodings are commonly used with magnetic stripe cards.
DEC SIXBIT
DEC SIXBIT one of many variants of six bit encodings. It can be transformed to ASCII easily by adding 32 to it decimal value. Used for encoding data on (ISO) track 1.
4-bit BCD LSB
Numeric data 0-9 encoded with 4 bits, LSB as Binary coded decimal. Used for encoding data on (ISO) tracks 2 and 3.
| Bitstring | Encoded symbol |
|---|---|
| 0000 | 0 |
| 1000 | 1 |
| 0100 | 2 |
| 1100 | 3 |
| 0010 | 4 |
| 1010 | 5 |
| 0110 | 6 |
| 1110 | 7 |
| 0001 | 8 |
| 1001 | 9 |
| 0101 | : |
| 1101 | ; |
| 0011 | < |
| 1011 | = |
| 0111 | > |
| 1111 | ? |
Standards
ISO-7810
Defines the physical dimensions of the magnetic card (Size: ID-1).
ISO-7811
Aggregates various standards for magnetic stripe cards, focused on the location and the physics of the magnetic tracks.
ISO-7812
Defines the numbering schemes and semantics for the data encoded on track 1 and 2.
PAN
The primary account number. Consists of:
- IIN: Issuer Identification Number. Up to 6/8 digits.
- MII: Major Industry Identifier. Up to 2 digits.
- II: Issuer Identifier. Up to 5 digits.
- IAI: Individual Account Number. Up to 12 digits.
- CD: Check Digit. 1 digit. Used for Luhn check.
MII
| Value | Description |
|---|---|
| 0 | Reserved for future use by ISO/TC 68. |
| 00 | Institutions other than card issuers. |
| 1 | Airlines. |
| 2 | Airlines and other future assignments. |
| 3 | Travel and entertainment. |
| 4 | Banking/financial. |
| 5 | Banking/financial. |
| 59 | Financial institutions not registered by ISO. |
| 6 | Merchandising and banking. |
| 7 | Petroleum. |
| 8 | Telecommunications, healthcare and other future assignments. |
| 89 | Telecommunications administrations and private operating agencies. |
| 9 | Reserved for national use. |
ISO-7813
Defines the data structures on the magnetic cards track 1 and 2. The tables below sketch the format found on these tracks.
Track 1 (IATA)
Contains a maximum of 79 alphanumeric data characters encoded using DEC SIXBIT, odd parity.
| Sentinel | Character | Bitstring (including parity) |
|---|---|---|
| Start (SS) | % | 0001011 |
| Field separator (FS) | ^ | 1111100 |
| End (ES) | ? | 0111110 |
| Field length (symbols) | Description |
|---|---|
| 1 | SS |
| 1 | FC - Format code (alpha) |
| 12-19 | PAN - Primary account nummer according to ISO 7812 |
| 1 | FS |
| 3 | CC - Country code (for PAN starting with 59). |
| 2-26 | Name: Surname(s) (separated if necessary) First name(s) or initial(s) (separated if neccessary) Period Title |
| 1 | FS |
| 4 / 1 | ED - Expiry Date: YYMM. If this field is not used a FS will be in place. |
| 3 / 1 | SC - Service code. If this field in not used a FS will be in place. |
| 5 | PVV - PIN verification Value |
| remaining | Discretionary data. Reserved for proprietary use. |
| 1 | ES |
| 1 | LRC - Longitude Redundancy check. |
Track 2 (ABA)
Contains a maximum of 40 numeric data characters encoded using 4-bit BCD LSB, odd parity.
| Sentinel | Character | Bitstring (including parity) |
|---|---|---|
| Start | ; | 11010 |
| Field separator | = | 10110 |
| End | ? | 11111 |
| Field length (symbols) | Description |
|---|---|
| 1 | SS |
| 12-19 | PAN - Primary account nummer according to ISO 7812 |
| 1 | FS |
| 3 | CC - Country code (for PAN starting with 59) |
| 4 / 1 | ED - Expiry Date: YYMM. If this field is not used a FS will be in place. |
| 3 / 1 | SC - Service code. If this field in not used a FS will be in place. |
| 5 | PVV - PIN verification Value. |
| remaining | Discretionary data. Reserved for proprietary use. |
| 1 | ES |
| 1 | LRC - Longitude Redundancy check. |
ISO-4909 (THRIFT-TTS)
Defines the data structures on the magnetic cards track 3 for id and financial transaction cards.
Track 3
Contains a maximum of 107 numeric data characters encoded using 4-bit BCD LSB, odd parity.
| Sentinel | Character | Bitstring (including parity) |
|---|---|---|
| Start | ; | 11010 |
| Field separator | = | 10110 |
| End | ? | 11111 |
| Field length (symbols) | Description |
|---|---|
| 1 | SS |
| 2 | FC - Format code. See extended Information. |
| 12-19 | PAN - Primary account nummer according to ISO 7812. Mind the note on German banking cards below. |
| 1 | FS |
| 3 | CC - Country code (ISO 3166). If this field is not used a FS will be in place. |
| 3 | CuC - Curency code (ISO 4217). If 3 zeros are written in this field it means the card not valid for international interchange. |
| 1 | CE - Currency exponent, 0-5: Power of ten by which multiply the currency amount fields (AA and AR) to get their actual values in the currency of the CuC field. |
| 4 | AA - Amount Authorized per cycle. Maximum amount of money permitted in one cycle. If 4 zeros are written in this field it means the card not valid for charge operations (no debit). |
| 4 | AR - Amount Remaining this cycle. Maximum amount of money permitted in this cycle. This field is dynamic, it is initialized with the value of the AA field the first time the card is used in a new cycle. Then it is modified accordingly. |
| 4 | CB - Cycle Begin (Validity Date). Date in which actual cycle began. The format is YDDD where Y stands for the least significant digit of the year and DDD is the day of the year (001 to 366). The field must be updated each time a new cycle begin. Alternatively this field may indicate the date from which the card is valid. |
| 2 | CL - Cycle Length. This field represents the duration of the cycle for which the AA limit holds. See extended Information. |
| 1 | RC - Retry Count. Number of remaining PIN trials. It is initialized to 3 and reduced by one unit after every wrong PIN entered. It is reset to 3 after a successful PIN introduction. When this field reaches 0 the card is invalid for any interchange purpose. |
| 6 | PINCP - PIN control parameters. See extended Information. |
| 1 | IC - Interchange Control. See extended Information. |
| 2 | PANSR - PAN service restrictions. See extended Information. |
| 2 | FSANSR - FSAN (Fist subsidiary account number) service restrictions. See extended Information. |
| 2 | SSANSR - SSAN (Second subsidiary account number) service restrictions. See extended Information. |
| 4 / 1 | ED - Expiry Date: YYMM. If this field is not used a FS will be in place. |
| 3 | CSN - Card sequence number. |
| 9 | CScN - Card security number. If this field in not used a FS will be in place. |
| 3 / 1 | SC - Service code. If this field in not used a FS will be in place. |
| variable | FSAN - First Subsidiary Account Number. Optional field. |
| 1 | FS |
| variable | SSAN - Second Subsidiary Account Number. Optional field. |
| 1 | FS |
| 1 | RM - Relay marker |
| 6 | CCD - Crypto check digit. Integrity check value for magnetic stripe data. |
| 5 | PVV - PIN verification Value. |
| variable | AD - Additional data. |
| 1 | ES |
| 1 | LRC - Longitude Redundancy check. |
Extended Information for track 3 contents
| Value | Description |
|---|---|
| 01-02 | Bank/financial. These are the formats described here. |
| 03-19 | Reserved for future use by ISO/TC 68. |
| 20-89 | Reserved for future use by ISO/TC 95 SC 17. |
| 90-99 | Reserved for proprietary use of card issuer, but not for international interchange. |
This field is composed depending on the format code.
FC=01
- Digit 1-2: PIN Algorithm:
- 00-09: private algorithm
- 10-19: DEA
- 20-99: reserved for future use by ISO/TC 68
- Digit 3-6: PIN offset or PVV
FC=02
- Digit 1: PIN Algorithm
- 0: private algorithm
- 1: DEA
- 2-9: reserved for future use by ISO/TC 68
- Digit 2: Key
- Digit 3-6: PIN offset or PVV
| Value | Description |
|---|---|
| 00 | Infinite, AR should be decremented but never reset. |
| 01-79 | Number of days. |
| 80 | Cycle begin each 7 days. |
| 81 | Cycle begin each 14 days. |
| 82 | Cycle begins each 1st and 15th days of every month. |
| 83 | Cycle begins the day of the month specified in CB of every month. |
| 84 | Cycle begins the day of the month specified in CB of every third month. |
| 85 | Cycle begins the day of the month specified in CB of every sixth month. |
| 86 | Cycle begins the day of the year specified in CB of every year. |
| 87-89 | Reserved for future use by ISO/TC 68. |
| 90-99 | Reserved for proprietary use of card issuer, but not for international interchange. |
| Value | Description |
|---|---|
| 0 | No restriction. |
| 1 | Not available for international interchange. |
| 2-8 | Limited interchange, only local use and under agreement. |
| 9 | Limited interchange, recommended for test cards. |
The first digit defines the type of account.
| Value | Description |
|---|---|
| 0 | Associated account number not encoded on track. |
| 1 | Savings account. |
| 2 | Current or checking account. |
| 3 | Credit card account. |
| 4 | Generic or universal account. |
| 5 | Interest-bearing current or checking account. |
| 6-8 | Reserved for future use by ISO/TC 68. |
| 9 | Reserved for card issuer's internal use, not for interchange. |
The second digit defines the service restrictions.
| Value | Description |
|---|---|
| 0 | No restrictions. |
| 1 | No cash dispense. |
| 2 | No point of sale (POS) transaction. |
| 3 | No cash dispense and no POS transaction. |
| 4 | Authorization required. |
| 5-7 | Reserved for future use by ISO/TC 68. |
| 8-9 | Reserved for card issuer's internal use, only local use and under |
The first digit represents the algorithm used to calculate a verification value to validate the information on the magnetic track against the embossed characters.
| Value | Description |
|---|---|
| 0-4 | national use |
| 5-8 | international security methods given by ISO/TC 68 |
| 9 | private use |
The remaining 8 digits are the verification value.
German bankig cards
German banking employ the ISO 4909 format, however the field containing the PAN is structured as follows:
| Field length | Description |
|---|---|
| 10 | National bank routing code (Bankleitzahl) |
| 1 | FS |
| 8 | Bank account number (Kontonummer) |
Siemens SIPORT
Magnetic card readers have been used by Siemens for their SIPORT system some time ago. The cards I could get hold on had a slightly different encoding on the magnetic tracks to the ISO standards - sufficiently different that standard card readers doing the decoding in one step won't recognize any data or return a failed read.
For what I've seen the SIPORT cards are using a different start sentinel, 8 bits for data (only 5 are essentially used and 3 bits are spacing). The bit order is LSB.
A note on security
It's obvious that (standard) magnetic strip cards are inherently insecure. I've had access cards having printed on the contents of the magnetic stripe (which is in most cases the access token). In that case you don't even need physical access to the card you'd like to copy.
So, if you are using magnetic strip cards for access/security control, don't print the contents on the card. Use blank cards only or, if you need to keep track of the card itself, print an unrelated unique id on the card (UUIDv4, serial number, etc.).
Contact
mike alpha golf charlie alpha romeo delta sierra @ kilo yankee uniform bravo uniform . delta echo