What is a payment card Service Code?

The Service Code is a 3 digit value encoded into the magnetic stripe on the back of your credit and debit cards. Typical cards actually have two copies of this service code in the magstripe, as it’s present in both Track 1 and Track 2. In both tracks, the service code is encoded to the immediate right of the expiration date in both cases.

The Service Code is separate to and not to be confused with the Card Security Code. The latter is the CVC or CVV value you enter to verify the card when making an online purchase. The Card Security Code is effectively random, and is used to verify that the person making the transaction has a real card in front of them. On the other hand, the Service Code has a specific, well defined structure.

Each number in the service code has a well-defined meaning, known to the card brands and other components of the interchange networks. The purpose of the service code is to tell merchant terminals and acquiring networks about usage restrictions the issuer has placed on this card.

Of course you can’t encode all possible restrictions in these 3 numbers, so they’re quite course-grained. But if you can read the service code from a card, as a merchant terminal would, you have some idea of what the issuer allows the card to be used for.


Service Code Usage

The original use for the Card Service Code is the usage restrictions mentioned above. As examples: the issuer can specify whether the card is intended for international use, or domestic only. And is a PIN required for all transactions? Or more subtly, is a PIN required, but only when the card is used at a terminal with a PIN pad?

But beyond the usage restrictions, the card service code is also used as one of the inputs for the CVC/CVV algorithm. In practice this is the more important use of this field today. Basically all card transactions online are verified using the CVC2/CVC2 on the back of the card.

For this, the card service code is one of the values sent to a payment HSM, along with the PAN and an encryption key. These values are used to calculate what the CVC/CVV for the card should be. The issuer then compares the calculated value to the CVC/CVV value presented by the merchant. If the numbers match, the card is valid. If they don’t, either the number was entered wrong, or it’s a stolen card number.

Code Table

You can decode a card service code using the following table. Note that many of these are effectively N/A, meaning that you won’t see all such service codes in the wild.

Position 1Position 2Position 3
ValueInterchangeTechnologyAuthorization ProcessingAllowed ServicesPIN Requirements
0NormalNo restrictionsPIN Required
1InternationalNo restrictions
2InternationalIntegrated Circuit CardBy Issuer via OnlineGoods and services only
3ATM onlyPIN Required
4By Issuer via Online unless explicit bilateral agreement appliesCash only
5NationalGoods and services onlyPIN Required
6NationalIntegrated Circuit CardNo restrictionsPrompt for PIN if PED present
7PrivateGoods and services onlyPrompt for PIN if PED present

These service codes are intended to be the same across card brands. Whether you have a Mastercard, Visa, or another, the definition of the service code should be the same. This is true whether you are using a prepaid, debit, or credit card – all use these same definitions.

Note that the ‘PIN required’ field in the service code is not the only thing that will determine if a PIN is required. All EMV chip cards also have a list of acceptable ways to verify the card holder encoded on the chip. This list is the CVM (Cardholder Verification Method) list, and can include options such as:

  • No verification required
  • Signature sufficient
  • PIN required

If an EMV terminal is processing an EMV card, the CVM list will determine whether a PIN is required.

Open Loop Example

A typical value for a modern open loop card is 221. Reading from left to right, this means:

  • 2 – International interchange, use IC (chip) where feasible
  • 2 – Contact issuer via online means
  • 1 – No restrictions

The issuer issuer wants the terminal to use the IC (chip) rather than magnetic stripe, if the terminal is chip capable (should be the norm at this point!). Authorizations should be done online, which is reasonable for debit transactions. And there are no special restrictions, meaning the card is general purpose and isn’t limited to ATMs, for example.

Service Code List

The following table illustrates lists commonly used card service codes. For each, we decode the service code to show what the code requires.

Service CodeCard Usage
121International Magstripe card
Authorization by issuer online
No restrictions on terminal
201International Chip card
Normal authorization processing
No terminal restrictions
206International Chip card
Normal authorization processing
Terminal must prompt for PIN if PIN pad present
220International Chip card
Authorization by issuer online
PIN required
221International Chip card
Authorization by issuer online
521National (domestic only) Chip card
Authorization by issuer online
Goods and Services only
Prompt for PIN if PED present

ISO/IEC 7813

Per the ISO 7813 payment card specification, the service code is a mandatory field in both track 1 and track 2. However, the ISO/IEC standard does not require that the service code be a 3 digit value. This field can be populated either with the numeric service code defined above, or instead by a single placeholder symbol.

A different placeholder character is specified for each track on the magnetic stripe.

  • Track 1 placeholder: ^ (caret symbol)
  • Track 2 placeholder: = (equals symbol)

If no service code is defined for this card, the placeholder symbol must be used instead.